The Agent Skills Directory

Indirect Prompt Injection (HIGH): The core functionality of this skill is to ingest untrusted data from conversation contexts and use it to modify the system instructions of other skills.
Ingestion points: Reads user feedback and 'session reviews' from the active conversation context (SKILL.md, Review & Extract section).
Boundary markers: There are no markers or sanitization used when the agent generates the evolution.json payload from user feedback.
Capability inventory: The skill has the capability to write to the file system (SKILL.md, evolution.json) and execute subprocesses via scripts/align_all.py.
Sanitization: None. The smart_stitch.py script takes the custom_prompts field from the JSON and appends it directly to the markdown file used for system instructions. This allows an attacker to inject permanent 'system-level' instructions into any skill in the local library.
Command Execution (MEDIUM): The scripts/align_all.py script uses subprocess.run to execute other Python scripts. While it currently targets internal scripts, the pattern of automated execution across all directories in ~/.claude/skills presents a risk if an attacker can drop malicious files into a skill directory.
Privilege Escalation (MEDIUM): By modifying the SKILL.md files of other, potentially more privileged skills (e.g., those with network or filesystem access), this manager can elevate the impact of a simple conversation-level injection into a full-scale system compromise.

skill-evolution-manager