The Agent Skills Directory

[CREDENTIALS_UNSAFE] (HIGH): SKILL.md contains a hardcoded API key pattern export API_KEY="sk-...". Although intended as a 'Session Persistence' example, providing specific secret prefixes like sk- can lead to accidental exposure if the agent or user follows the pattern literally.
[DATA_EXFILTRATION] (MEDIUM): The scripts/bash-audit-logger.sh script records all bash commands to ~/.claude/bash-audit.log. Since the agent often handles secrets (API keys, passwords) in command arguments or environment variables, this creates a local file containing highly sensitive unencrypted data.
[COMMAND_EXECUTION] (HIGH): The skill promotes a 'hook' architecture where arbitrary shell commands and Python scripts are executed before and after every tool call. The examples in templates/settings.json use shell interpolation ($CLAUDE_TOOL_INPUT) to perform logic, which is a complex execution surface prone to bypass or unintended behavior.
[INDIRECT_PROMPT_INJECTION] (HIGH): The security guards provided (dangerous-command-guard.py) rely on regular expressions to block 'dangerous' commands. This is a fragile defense-in-depth mechanism that can be bypassed using shell obfuscation techniques (e.g., r''m -''rf /) or indirect injection where the agent is manipulated into generating a command that evades the specific regex patterns.
Ingestion points: CLAUDE_TOOL_INPUT environment variable and standard input are used to pass tool data to hook scripts.
Boundary markers: Absent. Untrusted command strings are processed directly.
Capability inventory: The skill facilitates full Bash execution, file writing, and tool orchestration.
Sanitization: Uses jq for JSON parsing, but the actual command content is evaluated via regex without semantic sanitization.

claude-code-bash-patterns