The Agent Skills Directory

[Persistence & Command Execution] (HIGH): The skill modifies .claude/settings.json to register a PostToolUse hook. This configuration forces the agent to automatically execute an external Python script (monitor-tokens.py) after every invocation of the Write, Edit, Bash, or Task tools. This introduces a persistent and potentially hidden execution layer within the agent's core operational loop.
[Indirect Prompt Injection] (HIGH): The skill is highly vulnerable to injection via local project metadata.
Ingestion points: The detect_project_info function reads untrusted strings from package.json, pyproject.toml, and other project configuration files.
Boundary markers: Absent. The skill interpolates these strings directly into templates for CLAUDE.md and DEVELOPMENT-README.md without delimiters.
Capability inventory: The skill has access to Bash, Write, and Read tools. If a project file contains malicious instructions that are written into CLAUDE.md, the agent will read and potentially obey them in future turns.
Sanitization: None. There is no evidence of validation or escaping for the project name or tech stack data before it is written to the file system.
[Command Execution] (MEDIUM): The skill executes shell commands that interact with the user's home directory (${HOME}/.claude/plugins/...). While intended for template copying, this pattern relies on environment variables and hardcoded paths that could be exploited if the environment is compromised.

nav-init