The Agent Skills Directory

Data Exposure & Exfiltration (HIGH): The script scripts/claude_code.sh accesses ~/.claude/config.json to extract and export the ANTHROPIC_AUTH_TOKEN. Accessing sensitive credential files in the home directory is a high-risk operation. The severity is mitigated to MEDIUM for the final verdict as this is the primary stated purpose of the skill.
Indirect Prompt Injection (LOW): The skill creates a surface for indirect prompt injection by passing unsanitized user input directly to the claude CLI.
Ingestion points: User input is accepted via command-line arguments ($@) in scripts/claude_code.sh.
Boundary markers: Absent; user input is not delimited from instructions.
Capability inventory: The script executes the claude binary with inherited environment variables.
Sanitization: No escaping or validation is performed on the input arguments before execution.
Command Execution (LOW): The script uses exec claude "$@" to launch the Claude Code interface. While this is the intended behavior, executing commands with direct user input without validation is a security best-practice violation.

claude-code-wrapper