Is agent-directory safe?

https://clawhub.ai/aerialcombat/agent-directory

74
CAUTION

The coder-workspaces skill is a pure documentation skill with no executable code, no scripts, no hooks, and clean clone behavior. However, it grants the agent powerful capabilities — SSH access to remote workspaces and the ability to create AI coding tasks on remote infrastructure — that represent a significant attack surface expansion. The skill itself is not malicious, but it is a high-value target for prompt injection and skill-chaining attacks that could leverage remote execution capabilities.

Category Scores

Prompt Injection 75/100 · 30%
Data Exfiltration 70/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (8)

MEDIUM SSH command execution capability in agent context -15

SKILL.md instructs the agent to use 'coder ssh -- ' to execute arbitrary commands on remote workspaces. While this is the legitimate purpose of the skill, it grants the agent a powerful remote execution capability that could be abused by prompt injection or malicious skill chaining.

MEDIUM Credential environment variables in agent prompt -10

The skill requires CODER_SESSION_TOKEN to be set as an environment variable and references it in setup instructions injected into the agent's system prompt. This normalizes credential handling in the agent context and creates risk of token leakage through logging, error messages, or agent output.

MEDIUM Remote access channel via coder SSH -20

The coder SSH capability creates a bidirectional channel to remote infrastructure. While no exfiltration is attempted by the skill itself, this channel could be exploited by other skills or prompt injections to read sensitive data from remote workspaces or send local data to remote systems.

LOW Session token exposure risk -10

CODER_SESSION_TOKEN provides full API access to the Coder deployment. If the agent inadvertently echoes environment variables or includes them in error reports, the token could be leaked.

LOW No executable code present -10

The skill is pure documentation with no scripts, hooks, or executable components. Previous scripts were deliberately removed (documented in CHANGELOG). This is a positive finding.

INFO Install timeout during resolution -5

The skill install timed out during slug resolution. This appears to be a registry connectivity issue rather than malicious behavior. No other suspicious clone-time activity detected.

HIGH Force multiplier for multi-skill attacks -55

This skill teaches the agent to SSH into remote infrastructure and execute commands. While benign alone, it becomes dangerous when combined with a malicious skill that could leverage the SSH capability to access remote systems, exfiltrate data through workspaces, or pivot through the Coder deployment. The skill effectively extends the agent's attack surface from the local host to all accessible Coder workspaces.

INFO Legitimate documentation links only 0

All external URLs point to official Coder documentation (coder.com/docs). No suspicious fetch targets or data exfiltration endpoints.