The Agent Skills Directory

[COMMAND_EXECUTION]: The skill dynamically constructs shell commands by concatenating user-provided skill paths into bash strings. While it employs a basic escaping function for the prompt argument, it does not sanitize path variables (such as skillPath) used in --cd and cp operations. A malicious user could provide a crafted path containing quotes and shell metacharacters (e.g., "; id ; #) to break out of the intended command context and execute arbitrary code on the host system.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads target skill files and interpolates their contents into prompts for Claude and Gemini. An attacker-controlled target skill could include adversarial instructions designed to manipulate scores, bypass safety constraints, or trick the improvement agent into injecting malicious logic into the user's skill library during the improvement phase.
Ingestion points: Skill files are read and processed in phases/02-execute.md and phases/03-evaluate.md.
Boundary markers: The skill uses simple markdown headers (e.g., ### File: SKILL.md) to separate content, which are insufficient to prevent an LLM from obeying instructions embedded within those files.
Capability inventory: The skill has powerful capabilities including Bash for command execution and an Agent for direct file modification.
Sanitization: External content is interpolated into prompts without validation, filtering, or robust escaping.
[DYNAMIC_EXECUTION]: The skill uses a general-purpose Agent to apply changes to executable skill files based on suggestions generated by an AI evaluation. This dynamic modification of logic creates a high-risk surface for persistence and lateral movement if the analysis phase is subverted via prompt injection.

skill-iter-tune