The Agent Skills Directory

Indirect Prompt Injection (LOW): The skill's core workflow involves reading untrusted content from the repository and processing it via an AI tool, creating a surface for embedded malicious instructions.
Ingestion points: The skill reads README, AGENTS.md, CLAUDE.md, and all files within docs/ and key configuration files.
Boundary markers: The skill does not implement delimiters or 'ignore' instructions when passing this content to the codex tool.
Capability inventory: The skill uses codex exec and reads files across the filesystem, including the user's home directory (~/.claude/CLAUDE.md).
Sanitization: No escaping or validation of the ingested repository content is performed before processing.
Command Execution (LOW): The skill relies on the execution of a CLI tool named codex. While this tool is used for the skill's primary purpose of summarizing repo data, executing non-standard binaries carries inherent risk if the environment is not sandboxed.
Data Exposure (LOW): The skill explicitly reads from ~/.claude/CLAUDE.md. While this is likely intended for global configuration, accessing files in the home directory is a sensitive operation.

distill