The Agent Skills Directory

[COMMAND_EXECUTION]: The skill is vulnerable to command injection due to the unsanitized interpolation of user-supplied input into shell command strings. In phases/03-update-single.md, the targetPath variable is parsed from the $ARGUMENTS object and directly embedded into multiple Bash commands, including test -d "${targetPath}", find "${targetPath}", and ls "${targetPath}". A malicious user could provide a path containing shell metacharacters (e.g., ; rm -rf /) to execute arbitrary commands on the host system.
[PROMPT_INJECTION]: The skill presents an indirect prompt injection surface when generating documentation or updating module memory. It utilizes an Explore sub-agent to ingest and analyze untrusted content from the local project directory and then passes this information into prompts for the ccw cli tool and other sub-tasks.
Ingestion points: Local files located within the user-specified directory in phases/03-update-single.md.
Boundary markers: No delimiters or instruction-isolation markers are present in the prompts to distinguish analyzed file content from system instructions.
Capability inventory: The skill possesses the ability to execute shell commands via Bash, write files to the filesystem using ccw cli, and spawn sub-agents through the Task function.
Sanitization: Content extracted from project files is interpolated directly into subsequent prompts without any escaping, validation, or sanitization.
[REMOTE_CODE_EXECUTION]: The skill dynamically assembles prompts for sub-agents that include executable shell script logic. In phases/01-update-full.md and phases/02-update-related.md, module paths and tool configurations are interpolated into a batch worker prompt template. This template contains Bash commands executed by the memory-bridge sub-agent, creating a risk of control flow manipulation if the input module list is tampered with.

memory-manage