The Agent Skills Directory

[PROMPT_INJECTION]: The skill implements a 'Self-Healing' mechanism that instructs the agent to 'update directive Learnings when discovering new insights'. This allows the agent to modify its own permanent instructions based on potentially untrusted runtime data or user interactions, leading to persistent prompt injection.
[PROMPT_INJECTION]: The agent's logic depends on 'directives' loaded from ~/.claude/directives/. The lack of integrity checks for these files means that any process or user capable of writing to this directory can take complete control of the agent's behavior.
[COMMAND_EXECUTION]: The skill provides instructions for a wide array of high-impact system operations requiring sudo privileges, including modifying the GRUB bootloader, managing LUKS disk encryption, and installing/removing system packages. While aligned with the tool's purpose, these capabilities represent a high-risk surface area if the agent is compromised via injection.
[DATA_EXFILTRATION]: The skill facilitates access to sensitive system information, including LUKS encryption headers, kernel logs (dmesg), and the system clipboard (xclip/xsel). Because the skill also has access to WebSearch, there is a risk that sensitive system metadata could be exfiltrated through search queries.
[REMOTE_CODE_EXECUTION]: The workflow relies on sourcing and executing external shell scripts located in ~/.claude/execution/. The agent is instructed to use source, which executes scripts in the current shell context, potentially allowing for privilege escalation if the scripts are tampered with.

mint