The Agent Skills Directory

Data Exposure & Exfiltration (HIGH): The skill accesses and extracts sensitive credentials from the local file system.
Evidence: scripts/validate-env-setup.sh extracts the value of ANTHROPIC_API_KEY from the project's .env file using grep and cut for validation purposes, exposing the secret to the agent context.
Indirect Prompt Injection (HIGH): The skill processes untrusted project files and has write/execute capabilities via the Bash tool and suggested workflow.
Ingestion points: Reads .env, package.json, pyproject.toml, requirements.txt, main.py, and tsconfig.json (potentially attacker-controlled configuration files).
Boundary markers: Absent; no delimiters or explicit instructions to ignore embedded commands are used when reading files.
Capability inventory: The skill uses the Bash tool to execute scripts and its manifest encourages the agent to 'Apply Fixes', enabling file modifications based on the processed untrusted data.
Sanitization: Absent; content from the project files is processed and output to the agent's context without sanitization or validation.
Unverifiable Dependencies & Remote Code Execution (MEDIUM): The skill suggests installing external packages that are not verified against the trusted source list.
Node packages: @claude-ai/sdk.
Python packages: claude-ai-sdk, python-dotenv, pydantic, pytest, pytest-asyncio, black, ruff, mypy.
Command Execution (LOW): The skill executes local shell commands to verify system state and package presence.
Evidence: scripts/check-sdk-version.sh and scripts/validate-python.sh execute python3 -c using static strings to check versions.

sdk-config-validator