The Agent Skills Directory

PROMPT_INJECTION (LOW): The skill design allows for Indirect Prompt Injection by design. It defines a pattern where an agent reads configuration and task instructions from local files (.claude/*.local.md) which could be modified by external processes or previously written by the agent itself.
Evidence:
Ingestion points: Scripts in references/real-world-examples.md (e.g., stop-hook.sh) and examples/read-settings-hook.sh read from .claude/multi-agent-swarm.local.md and .claude/ralph-loop.local.md.
Boundary markers: The scripts use sed and awk to extract content but do not wrap the interpolated text in protective delimiters or warnings to ignore embedded instructions.
Capability inventory: The skill uses Write to create/update these files and uses hooks to block/alter agent behavior based on their contents.
Sanitization: While examples/create-settings-command.md instructs the agent to sanitize input, the processing scripts themselves perform no sanitization on the extracted text before it is used as a prompt or system message.
COMMAND_EXECUTION (LOW): The skill includes examples that use tmux send-keys to interact with other terminal sessions based on configuration file values.
Evidence:
In references/real-world-examples.md, the agent-stop-notification.sh script executes tmux send-keys -t "$COORDINATOR_SESSION" "$NOTIFICATION" Enter. If the COORDINATOR_SESSION or AGENT_NAME fields are manipulated, this could be used to send unauthorized keystrokes to other active tmux sessions owned by the user.

Plugin Settings