The Agent Skills Directory

[COMMAND_EXECUTION] (LOW): The skill executes grep and a custom CLI ao via bash. While the input <query> is wrapped in double quotes, there is a minor risk of shell injection if the agent does not properly escape the user's query before interpolation into the bash command.
[DATA_EXFILTRATION] (LOW): The skill explicitly accesses ~/.claude/plans/. While this is part of its intended purpose for 'Global plans', it involves reading data from the user's home directory outside the immediate project scope.
[PROMPT_INJECTION] (LOW): The skill uses a workflow that includes 'Read full files' and 'Synthesize Results'. This is a classic surface for Indirect Prompt Injection (Category 8). If a knowledge artifact (e.g., a file in .agents/research/) contains malicious instructions, the agent might follow them during the synthesis phase.
Ingestion points: .agents/ subdirectories and ~/.claude/plans/ via grep and read tool.
Boundary markers: None specified in the workflow instructions to help the agent distinguish between data and instructions.
Capability inventory: Shell execution (bash), file reading (read tool), and MCP tool usage (mcp__smart-connections-work__lookup).
Sanitization: None detected.

knowledge