The Agent Skills Directory

[Data Exposure] (LOW): The skill interacts with the ~/.claude/.env file to manage credentials and profile states. Although this is documented as a security feature to prevent leaking keys in chat logs, accessing sensitive environment files is a potential exposure vector.
Evidence: references/api-security.md instructs the agent to grep and write to ~/.claude/.env.
[Dynamic Execution] (LOW): Several workflows involve creating shell and Python scripts, modifying their permissions (chmod +x), and executing them. This is the intended primary purpose of the skill but constitutes dynamic code generation and execution.
Evidence: workflows/add-script.md (Step 6) and references/using-scripts.md define procedures for script creation and execution.
[Indirect Prompt Injection] (LOW): The audit and verification workflows ingest content from arbitrary skill files in the ~/.claude/skills/ directory. Without sanitization or boundary markers, malicious instructions in these external files could influence the agent's behavior during the audit process.
Ingestion points: workflows/audit-skill.md (Step 2: cat SKILL.md), workflows/verify-skill.md (Step 2: cat all files).
Boundary markers: Absent; the files are read directly into context.
Capability inventory: The skill has extensive file system and shell execution capabilities.
Sanitization: Absent.
[Unverifiable Dependencies] (LOW): The skill documentation recommends installing various third-party packages from PyPI and npm. While common, these represent an external dependency risk.
Evidence: references/official-spec.md and references/executable-code.md recommend pip install pypdf pdfplumber.

creating-agent-skills