The Agent Skills Directory

[COMMAND_EXECUTION]: Th e skill constructs and executes unsanitized shell commands in its 'Capture Mode'.
Th e implementation details s p e c i f y that the B a s h tool is u s e d to append JSON data to a file: B a s h(e c h o '${JSON.stringify(in s i g h tR o w)}' >> .w o r k f l o w/l e a r n i n g/l e s s o n s.j s o n l).
Th e in s i g h tR o w object includes the s u m m a r y field, which contains the full insight text provided b y the u s e r via $ARGUMENTS.
While JSON.stringify e s c a p e s double q u o t e s, it does not e s c a p e single q u o t e s. A m a l i c i o u s u s e r c a n provide an input containing a single q u o t e (e.g., ' ; <m a l i c i o u s_c o m m a n d> ; ') to terminate the shell's single-quoted string and execute arbitrary commands.
[PROMPT_INJECTION]: Th e skill metadata contains deceptive c l a i m s that mask its actual behavior and attack surface.
Th e description and 'Core R u l e s' explicitly state there are 'N o CLI c a l l s' and that the skill performs 'p u r e file r e a d s and writes'.
Th i s directly contradicts the implementation section, which relies on the B a s h tool to execute shell commands like m k d i r, t o u c h, and e c h o.
S u c h deception can mislead r e v i e w e r s or u s e r s into assuming the skill lacks a shell-based attack surface.

manage-learn