The Agent Skills Directory

[DATA_EXFILTRATION] (HIGH): The skill starts a local server (apps/server/src/index.ts) that broadcasts all agent events, including prompts and tool results, over an unauthenticated WebSocket (/stream) and an HTTP API (/events/recent). * Evidence: The server uses 'Access-Control-Allow-Origin: *' and lacks any authentication mechanism for the WebSocket stream. This allows malicious websites visited by the user to perform Cross-Origin requests and steal the agent's interaction history.
[PROMPT_INJECTION] (HIGH): Vulnerability to Indirect Prompt Injection (Category 8) due to the combination of untrusted data processing and high-privilege monitoring. * Ingestion points: capture-all-events.ts ingests all agent interactions (including file reads and web results) via stdin. * Boundary markers: Absent. Data is passed directly into JSON objects and logged without encapsulation. * Capability inventory: The skill includes Human-In-The-Loop (HITL) support (apps/server/src/types.ts), which allows the dashboard to potentially send approvals or responses back to the agent. * Sanitization: Absent. The dashboard (Vue 3) appears to render event payloads. If an agent processes malicious HTML/JS from an external source, it could lead to XSS in the dashboard, enabling an attacker to bypass HITL controls and manipulate agent actions.
[COMMAND_EXECUTION] (MEDIUM): The installation process requires configuring the agent to execute a local script (capture-all-events.ts) for every tool usage and session event. * Evidence: SETUP.md and settings.json.example instruct the user to add executable hooks to Claude Code settings, which run logic on all agent events.

agent-observability