The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill is designed to ingest a user's existing codebase and prompts and modify them directly. It lacks any sanitization or boundary markers when integrating new instructions.
Ingestion point: User's codebase and prompt files identified via search operations.
Capability: File system write access to update model strings and merge prompt snippets.
Boundary markers: Absent. The instructions explicitly advise 'integrating them thoughtfully' into existing structures, which increases the likelihood of an agent obeying malicious instructions embedded in the source code.
Sanitization: None. No validation is performed on the code or prompts being modified.
[Unverifiable Dependencies] (HIGH): The skill relies on local reference files (references/effort.md, references/prompt-snippets.md) that are missing from the provided skill folder. These files effectively function as unverified payload containers for the content being injected into the user's environment.
[Metadata Poisoning] (MEDIUM): The skill refers to 'Claude Opus 4.5', 'Sonnet 4.5', and 'Opus 4.1', none of which are currently released models. Using deceptive or non-existent model versions can lead to configuration errors or the use of attacker-controlled endpoints if the model strings are redirected.
[Command Execution] (MEDIUM): The migration workflow requires the agent to 'Search codebase for model strings', which implies recursive filesystem access and the execution of search/replace commands across potentially sensitive files.

claude-opus-4-5-migration