The Agent Skills Directory

[Command Execution] (MEDIUM): The skill contains a mandatory requirement for agents to execute Python scripts from the .agent/skills/ directory (e.g., python .agent/skills/api-patterns/scripts/api_validator.py .). Since these scripts are not part of the skill itself and are located in a potentially writable directory, this creates a significant risk of arbitrary code execution if the environment is compromised.
[Prompt Injection] (LOW): The instructions include 'AI Coding Style' rules such as 'Fix it, don't explain' and 'The user wants working code, not a programming lesson.' These instructions discourage the agent from explaining its actions to the user, which could be exploited to hide malicious code changes or backdoors during automated bug fixes.
[Indirect Prompt Injection] (LOW): The skill requires the agent to run verification scripts and summarize their output. If the scripts process attacker-controlled data, the output could contain malicious instructions that the agent might inadvertently follow.
Ingestion points: STDOUT/STDERR from Python verification scripts listed in the agent-to-script mapping.
Boundary markers: Absent. While a markdown summary template is provided, there are no instructions to treat the script output as untrusted or to ignore embedded commands.
Capability inventory: The skill uses Read, Write, and Edit tools, and executes shell commands via the python interpreter.
Sanitization: No sanitization or validation of the script output is performed before the agent processes it.

clean-code