The Agent Skills Directory

[PROMPT_INJECTION] (LOW): Indirect Prompt Injection vulnerability. The skill reads external skill definitions from .claude/skills/ and converts their content into executable criteria for subagents. If a scanned skill contains malicious instructions disguised as criteria, subagents may attempt to follow them.
Ingestion points: .claude/skills/<name>/SKILL.md and associated references.
Boundary markers: The workflow 'distills' content into a numbered checklist (C1, C2...) but lacks explicit instructions to subagents to ignore embedded control commands within those criteria.
Capability inventory: Scanner subagents have Read, Glob, and Grep capabilities; Fixer subagents have Edit and Write capabilities.
Sanitization: No evidence of sanitization or escaping of the distilled criteria before they are passed to the subagents.
[COMMAND_EXECUTION] (SAFE): The skill uses spawnTeam to orchestrate parallel tasks. While subagents are granted file system access, the instructions provided in references/teammate-instructions.md explicitly enforce a 'Read-only' policy for scanners, and the Fixer subagents are only invoked after a user manually reviews the scan report and provides consent.

scan