The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill attempts to install a Python package named graphifyy via pip. This package name is a suspicious variation of the graphify tool referenced in the README and used in other commands within the skill. This pattern is characteristic of typosquatting attacks, posing a high risk of executing malicious code upon installation. Additionally, it uses the --break-system-packages flag, which bypasses system protections and increases the risk of system-wide impact.
Evidence: SKILL.md contains the command python3 -m pip install graphifyy 2>&1 | tail -3 || python3 -m pip install graphifyy --break-system-packages.
[COMMAND_EXECUTION]: The skill performs direct shell operations to modify the agent's core configuration files (~/.claude/settings.json) and project-level instructions (CLAUDE.md). It also installs a SessionEnd hook that executes a background shell script (hooks/session-end.sh) after every session, creating a persistent mechanism for command execution.
Evidence: SKILL.md Step 0.9 and hooks/session-end.sh script.
[EXTERNAL_DOWNLOADS]: The ingestion feature allows the agent to fetch and process content from arbitrary remote URLs, which are then integrated into the agent's knowledge graph and used for future reasoning.
Evidence: SKILL.md Step 2 (Ingest) supports fetching content from URLs.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. It ingests untrusted data from files or URLs and promotes that data to the agent's 'primary context' without applying boundary markers or sanitization.
Evidence:
Ingestion points: /wiki-brain ingest <file-or-url> in SKILL.md.
Boundary markers: None identified in templates or logic; output is treated as trusted wiki content.
Capability inventory: The agent can execute the graphify CLI and perform extensive file system modifications.
Sanitization: None. The skill instructs the agent to read source content and update wiki pages directly.

wiki-brain