The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The instructions specify embedding the GITHUB_TOKEN directly into the Git clone URL (https://${GITHUB_TOKEN}@github.com/...). This can lead to the token being exposed in plain text within shell history, process logs, or environment outputs.\n- [COMMAND_EXECUTION]: The skill uses Git CLI commands and Python scripts for cloning repositories and modifying file content. While necessary for its function, these represent direct execution of system commands and scripts.\n- [DATA_EXFILTRATION]: Local file changes are pushed to an external repository on GitHub (Starchild-ai-agent/official-skills). This is the intended behavior for publishing but involves sending data to an external service.\n- [PROMPT_INJECTION]: The skill allows the agent to update SKILL.md files with user-provided text. This creates an attack surface for indirect prompt injection, where malicious instructions could be persisted in the repository and later loaded by other agents.\n
Ingestion points: Text replacement strings used to modify SKILL.md files in the repository workflow.\n
Boundary markers: Absent; there are no instructions to sanitize or wrap the injected content to prevent it from being interpreted as instructions by future agents.\n
Capability inventory: Git push access to the vendor repository, enabling the persistence of modified files.\n
Sanitization: None; the skill performs a simple string replacement without validating the input content.

@2004/skill-repo-publish