The Agent Skills Directory

Unverifiable Dependencies & Remote Code Execution (MEDIUM): The SKILL.md file explicitly references and instructs the execution of ~/.claude/skills/stripe/scripts/stripe_audit.sh. However, this script is not present in the provided skill files. Executing unprovided or external scripts introduces a significant risk of remote code execution or running unvetted logic.
Dynamic Execution (MEDIUM): The skill employs codex exec --full-auto to automate code remediation. This allows for the runtime generation and execution of code based on LLM analysis. This pattern is vulnerable to manipulation if the input data (project code/config) is compromised, leading to the execution of unintended or malicious code.
Data Exposure & Exfiltration (LOW): The scripts detect-environment.sh and stripe-env.sh access sensitive environment variables and .env.local files to extract STRIPE_SECRET_KEY. While this is part of the skill's primary purpose for account verification via the official Stripe API, it exposes high-value production credentials to the agent's context.
Indirect Prompt Injection (LOW): The skill identifies and ingests untrusted project files and environment variables to construct remediation plans. This surface could be exploited via malicious content in the scanned files to influence subsequent automated actions, such as those performed by codex exec.
Ingestion points: Project files matching stripe-related patterns and local environment configuration files.
Boundary markers: Not present; the skill lacks specific delimiters or instructions to ignore embedded commands in the data it processes.
Capability inventory: codex exec, npx (Convex), stripe CLI, and git command execution.
Sanitization: No evidence of input sanitization or validation before data is included in automation prompts.

stripe