The Agent Skills Directory

[CREDENTIALS_UNSAFE] (MEDIUM): The skill directs the agent to document 'Environment variables' and 'service configuration' found in the repository. This creates a high risk of accidentally capturing and exposing sensitive API keys or credentials in the final documentation output.\n- [COMMAND_EXECUTION] (MEDIUM): The skill explicitly mandates using BASH tools and the GIT CLI while specifically instructing the agent to bypass safer Model Context Protocol (MCP) interfaces. Direct shell interaction with untrusted repository data (filenames, branches) significantly increases the risk of command injection.\n- [PROMPT_INJECTION] (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8) because it analyzes untrusted file contents without boundary markers or sanitization logic. Evidence: 1. Ingestion: git clone and recursive file reading in Step 2. 2. Boundary markers: Absent. 3. Capability inventory: Bash shell, Git CLI, and network access. 4. Sanitization: Absent; the agent is encouraged to summarize raw file contents directly.\n- [EXTERNAL_DOWNLOADS] (LOW): Clones code from external GitHub URLs provided by the user, which is the primary vector for ingesting potentially malicious data into the agent's environment.

codebase-architecture-analysis