The Agent Skills Directory

[COMMAND_EXECUTION]: The scripts/unpack.sh script is vulnerable to path traversal. It extracts file paths directly from the input markdown and uses them to create directories and write files via mkdir -p and redirection without any sanitization. A maliciously crafted context pack could use paths like ../../path/to/sensitive/file to overwrite arbitrary files on the system.
[COMMAND_EXECUTION]: The scripts/pack.sh script uses unzip on user-provided ZIP archives. This is susceptible to 'Zip Slip' attacks if the archive contains entries with traversal characters (e.g., ../../), potentially overwriting files outside the intended temporary extraction directory.
[DATA_EXFILTRATION]: The skill is designed to aggregate codebase content for external consumption. While it includes a default exclusion list that covers .env files, it does not explicitly block other sensitive directories like ~/.ssh, ~/.aws, or other credential-heavy locations if they are included in the source path.
[PROMPT_INJECTION]: The skill functions as a data aggregator for LLMs, creating an indirect prompt injection surface. If the files being packed contain malicious instructions or hidden markdown payloads, they will be passed into the context window of the AI agent consuming the pack, potentially hijacking its behavior.

context-pack