The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill downloads content from user-specified GitHub repositories. While GitHub is a well-known service, the repository content itself is untrusted until properly scanned.
[COMMAND_EXECUTION]: During Step 7 of the installation workflow, the skill modifies file permissions to make downloaded scripts executable on the local filesystem.
[PROMPT_INJECTION]: The security scanning mechanism is vulnerable to indirect prompt injection, where malicious instructions inside a scanned skill could influence the scanner's output.
Ingestion points: External file content (SKILL.md, scripts, references) is fetched from remote GitHub repositories in SKILL.md (Step 4).
Boundary markers: The prompt template in references/security_scan_prompt.md does not use strict delimiters or 'ignore instructions' warnings to isolate the untrusted {skill_content} from the scanner's logic.
Capability inventory: The skill possesses file write capabilities to ~/.claude/skills/, network fetch capabilities, and the ability to set execution permissions via the Write tool.
Sanitization: No sanitization, validation, or escaping of the fetched repository content is performed before it is inserted into the LLM security analysis prompt.

skill-install