The Agent Skills Directory

[PROMPT_INJECTION] (HIGH): The docs-researcher agent is highly vulnerable to Indirect Prompt Injection through its web research functionality.
Ingestion points: WebFetch is used to retrieve data from external URLs identified via WebSearch in agents/docs-researcher.md.
Boundary markers: None. The fetched content is processed directly by the model to 'Extract information' without any delimiters or instructions to ignore embedded commands.
Capability inventory: The agent possesses Write permissions. Critically, it is instructed to update its own SKILL.md file, providing a path for an attacker to achieve persistence by overwriting the skill's logic.
Sanitization: There is no evidence of sanitization, filtering, or validation of the external content before it is processed by the LLM.
[COMMAND_EXECUTION] (MEDIUM): The init command in SKILL.md executes a local JavaScript file using node via the Bash tool.
Evidence: node ${CLAUDE_PLUGIN_ROOT}/scripts/init.js . in SKILL.md.
Context: While the included scripts/init.js currently performs standard filesystem operations (creating directories and templates), the pattern of executing arbitrary shell commands based on environment variables is a significant attack surface.
[DATA_EXFILTRATION] (LOW): The agent performs broad scans of the local codebase using Glob and Grep and has network access via WebFetch.
Evidence: Step 1 in agents/docs-researcher.md searches the entire project for patterns and helpers, which are then included in documentation files that could be subject to further external interaction.

docs-researcher