The Agent Skills Directory

[DATA_EXFILTRATION]: Path traversal vulnerability in project path resolution logic. User-provided project names or slugs are used to construct file paths without sanitization in scripts/utils.ts and scripts/resolve-slug.ts. This flaw allows the spinoff.ts and incubate.ts scripts to resolve to sensitive local directories (e.g., using ../ sequences) instead of the intended project workspace. If exploited, the spinoff command can copy the contents of arbitrary local directories into a new git repository and push them to a remote GitHub account.
[PROMPT_INJECTION]: Indirect prompt injection surface via repository scanning and indexing. \n- Ingestion points: scripts/reunion.ts and scripts/index.ts scan for and read .md files within the ψ/memory, learnings, and retrospectives directories of any cloned repository. \n- Boundary markers: Absent. The skill does not use delimiters or instructions to treat the scanned external content as untrusted. \n- Capability inventory: The skill has extensive capabilities including shell command execution (git, gh, cp), file system access, and the ability to push data to remote repositories. \n- Sanitization: Absent. Content is processed and prepared for indexing into the agent's knowledge base without validation or filtering.
[COMMAND_EXECUTION]: Extensive use of shell commands for system operations. The scripts utilize Bun's shell execution ($) to run git, gh, ghq, cp, ln, and rm. While Bun provides protection against simple argument injection, the broad access to these tools, combined with the path traversal vulnerabilities, significantly increases the risk of unauthorized system modification or data access.
[EXTERNAL_DOWNLOADS]: Clones external code from GitHub. The learn and incubate commands use ghq get to fetch repositories from arbitrary URLs provided by users or found in prompts, which serves as the entry point for untrusted content.

project