The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill's primary logic depends on the claude-to-im package, which is fetched directly from an unverified GitHub repository (op7418/claude-to-im) during installation instead of a standard package registry.
[COMMAND_EXECUTION]: The skill manages a background Node.js daemon using various shell and PowerShell scripts (daemon.sh, supervisor-macos.sh, supervisor-windows.ps1). This daemon executes the claude or codex CLI tools to provide terminal-level capabilities to the remote AI agent.
[CREDENTIALS_UNSAFE]: The skill collects messaging platform API tokens via an interactive setup wizard. It follows security best practices by storing these in a restricted file (~/.claude-to-im/config.env with 600 permissions) and redacting them from all log outputs and setup summaries using regex masking patterns.
[DATA_EXFILTRATION]: The doctor.sh diagnostic tool makes outbound network requests to official messaging platform APIs (Telegram, Feishu, QQ) to validate token functionality.
[INDIRECT_PROMPT_INJECTION]: The skill creates a vulnerability surface where untrusted input from messaging platforms is processed by an agent with shell access.
Ingestion points: Messaging platform APIs (Telegram, Discord, etc.) integrated in src/main.ts.
Boundary markers: No explicit boundary delimiters or 'ignore embedded instruction' warnings are added to user messages before they are processed by the agent.
Capability inventory: Full terminal access via Bash, Write, and Edit tools as inherited from the underlying AI CLI.
Sanitization: No input sanitization or filtering is performed on message content.
Mitigation: The skill implements interactive permission gates (inline approval buttons) and user allow-lists to restrict tool usage to authorized users.

claude-to-im