The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill instructions in SKILL.md (Bootstrap Mode, Step 1) guide the agent to read .env.local files. While the skill notes to avoid the main .env file, .env.local is a common standard for storing local development secrets, API keys, and credentials, making its automated access a risk for sensitive data exposure within the agent session.
[PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection as it scans and summarizes untrusted project content (such as README.md and source files) to generate core documentation. Malicious instructions embedded in these files could influence the agent's summarization or steer the generated reference documents towards attacker-controlled outcomes.
Ingestion points: Reads README.md, CLAUDE.md, source code files, and various project configuration files.
Boundary markers: None identified in the scanning logic to distinguish instructions from data.
Capability inventory: Executes directory listing (ls), directory creation (mkdir), and file writes to the .agents/reference/ directory.
Sanitization: No evidence of sanitization or filtering of external codebase content before processing or template interpolation.

steering