The Agent Skills Directory

[COMMAND_EXECUTION]: The skill relies on Bash for file operations and guides the user to set up a PostToolUse hook in ~/.claude/settings.json. This configuration causes a shell script to run automatically after tool execution, representing a persistence mechanism and automated command execution within the agent environment.\n- [DATA_EXFILTRATION]: The recommended hook script save-plan-on-exit.sh is vulnerable to arbitrary file exposure. It extracts a path from tool output and copies the target file to the project directory without verifying that the source is within the project or is a non-sensitive file. This could allow an attacker to trick the agent into copying sensitive data like SSH keys or credentials into the plan directory.\n- [PROMPT_INJECTION]: The skill processes contents of Markdown files from the plans/active/ directory which constitutes an indirect prompt injection surface. 1. Ingestion points: plans/active/*.md (SKILL.md). 2. Boundary markers: There are no delimiters or instructions to ignore instructions within these files. 3. Capability inventory: Bash, Read, Write, Edit, and Glob (SKILL.md). 4. Sanitization: No validation or sanitization of the file content is performed prior to processing or editing.

plan-archive