The Agent Skills Directory

PROMPT_INJECTION (HIGH): Vulnerable to Indirect Prompt Injection (Category 8). 1. Ingestion points: Untrusted data enters context via WebSearch and WebFetch tools in SKILL.md. 2. Boundary markers: Absent; no delimiters or instructions are used to separate untrusted web content from agent reasoning or file-writing logic. 3. Capability inventory: The skill can write persistent files to the local filesystem (~/.claude/skills/), which establish long-term persistence for any injected instructions. 4. Sanitization: Absent; the skill extracts content from documentation and interpolates it directly into markdown templates without filtering.
COMMAND_EXECUTION (MEDIUM): The skill performs dynamic script and instruction generation from external sources (Category 10). Malicious web content could inject dangerous setup commands or patterns into the generated skill files, which the agent or user might follow during later sessions.

learn