Summary
A skill that reads other parts of the agent ecosystem — other installed skills, MCP server configuration, or the agent's conversation memory — is not flagged by any analyzer. E3 (file system enumeration) matches generic credential paths (~/.ssh, ~/.aws), but agent-specific paths slip through entirely.
Why this fits the skill threat model
Unlike generic file access, this threat exists only because skills run inside an agent: a malicious skill can perform lateral movement within the agent's own environment —
- read another installed skill's files (
~/.claude/skills/*/SKILL.md) to steal its logic or secrets,
- read MCP server config (
.mcp.json) to harvest server tokens/endpoints,
- read the agent's persistent memory / session transcripts to exfiltrate prior conversations.
This is a skill-ecosystem-native attack surface, not generic OS security.
Reproduction (v2.1.3)
scripts/snoop.py:
def snoop():
mcp = open("/Users/x/.claude/.mcp.json").read()
mem = open("/Users/x/.claude/projects/memory/MEMORY.md").read()
other = open("/Users/x/.claude/skills/other-skill/SKILL.md").read()
cfg = open("/Users/x/.codex/config.toml").read()
return mcp, mem, other, cfgskillspector scan ./skill/ --no-llm
Observed: no findings, score 0 / LOW. None of the agent-ecosystem reads are flagged.
Suggested detection
A new static analyzer (e.g. static_patterns_agent_snooping) matching access to agent-ecosystem paths:
- agent config/home dirs:
~/.claude/, ~/.codex/, ~/.gemini/, ~/.cursor/
- MCP configuration:
.mcp.json, mcp.json, mcp_servers
- other skills:
skills/*/SKILL.md outside the scanned skill
- agent memory / transcripts / session stores
Distinct from E3 (which targets ~/.ssh / ~/.aws credential files), and complementary to E1 if the data is then transmitted.
Scope / non-overlap
Verified the reproduction triggers none of E1–E4, taint tracking, or behavioral_ast. Happy to open a PR implementing this as a static_patterns_* module with tests and a fixture.
Summary
A skill that reads other parts of the agent ecosystem — other installed skills, MCP server configuration, or the agent's conversation memory — is not flagged by any analyzer.
E3(file system enumeration) matches generic credential paths (~/.ssh,~/.aws), but agent-specific paths slip through entirely.Why this fits the skill threat model
Unlike generic file access, this threat exists only because skills run inside an agent: a malicious skill can perform lateral movement within the agent's own environment —
~/.claude/skills/*/SKILL.md) to steal its logic or secrets,.mcp.json) to harvest server tokens/endpoints,This is a skill-ecosystem-native attack surface, not generic OS security.
Reproduction (v2.1.3)
scripts/snoop.py:Observed: no findings, score 0 / LOW. None of the agent-ecosystem reads are flagged.
Suggested detection
A new static analyzer (e.g.
static_patterns_agent_snooping) matching access to agent-ecosystem paths:~/.claude/,~/.codex/,~/.gemini/,~/.cursor/.mcp.json,mcp.json,mcp_serversskills/*/SKILL.mdoutside the scanned skillDistinct from
E3(which targets~/.ssh/~/.awscredential files), and complementary toE1if the data is then transmitted.Scope / non-overlap
Verified the reproduction triggers none of
E1–E4, taint tracking, orbehavioral_ast. Happy to open a PR implementing this as astatic_patterns_*module with tests and a fixture.