The Agent Skills Directory

[COMMAND_EXECUTION]: The skill is vulnerable to shell command injection in SKILL.md. The user-provided argument [N] is interpolated directly into a shell execution block (python3 .../scripts/dig.py [N]) without sanitization. An attacker could provide a payload such as 10; [malicious_command] to execute arbitrary code on the host system.
[DATA_EXFILTRATION]: The skill accesses highly sensitive session history files located in ~/.claude/projects/. These files contain the full history of previous interactions, including source code and potentially secrets. The skill extracts metadata (summaries, repository names, and commit hashes) and instructs the agent to send this data to an external 'Oracle' service using the arra_trace tool.
[COMMAND_EXECUTION]: The Python script scripts/dig.py executes the external command ghq via subprocess.run to map local directory paths to repository names. While the arguments are passed as a list, this adds a dependency on an external binary and exposes repository structures.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8). It ingests data from untrusted .jsonl session logs and processes the content without sanitization or boundary markers. If a previous session contained malicious instructions, they could be re-activated when the agent parses the logs during a /dig command.
Ingestion points: Reads .jsonl files from ~/.claude/projects/.
Boundary markers: None identified in the processing logic.
Capability inventory: Executes shell commands and subprocesses.
Sanitization: No escaping or validation is performed on the ingested session content.

dig