The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill's identity verification logic includes scanning the sensitive local path ~/.claude/.secrets/gh-token-* to extract GitHub authentication tokens.
[REMOTE_CODE_EXECUTION]: The instructions direct the agent to use ssh to execute administrative commands, such as docker restart and docker logs, on a remote host (littleblack). This provides a mechanism for the agent to control external infrastructure beyond the local environment.
[COMMAND_EXECUTION]:
The skill uses multi-line Bash scripts (heredocs) to perform complex logic for identity checks, service health monitoring, and automated container recovery.
The skill contains instructions for self-modification, telling the agent to "fix this file immediately" (SKILL.md) if it encounters issues, which can lead to unpredictable behavior or persistent malicious instructions if the agent is compromised.
[DATA_EXFILTRATION]: Scraped URLs, slugs, and potentially sensitive research data are transmitted to a local network service at 172.25.236.1:3003 during the scraping workflow.
[PROMPT_INJECTION]:
Indirect Prompt Injection: The skill ingests untrusted content from external URLs (ChatGPT, Gemini, and Claude shares) and processes it using tools with write permissions and remote execution capabilities.
Ingestion points: External content is fetched via Jina Reader and a self-hosted Firecrawl instance as documented in SKILL.md and references/url-routing.md.
Boundary markers: There are no markers or safety instructions used to isolate the scraped content from the agent's control flow.
Capability inventory: The skill has access to local file writing, the GitHub CLI for issue creation, and remote SSH execution.
Sanitization: The skill lacks any validation or sanitization of the scraped data before it is saved to files or used to populate GitHub issues.

research-archival