The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill dynamically locates and executes a shell script from the project workspace using the command: bash "$(find . .claude .agents -path '*/swain-session/scripts/swain-bookmark.sh' -print -quit 2>/dev/null)". Executing scripts found via runtime path searching within a potentially untrusted repository environment is a significant security risk that can lead to arbitrary code execution.
[PROMPT_INJECTION]: The skill contains an "Override file" feature that reads and obeys instructions from .agents/release.override.skill.md. It explicitly states these instructions "take precedence where they conflict," creating a massive surface for indirect prompt injection where repository content can override the primary safety and logic constraints of the skill.
Ingestion points: .agents/release.override.skill.md (file read), Git commit history (log parsing).
Boundary markers: Absent; the skill lacks delimiters or instructions to ignore embedded commands within the external data it processes.
Capability inventory: Bash (command execution), Edit (file modification), Write, and git push (network/remote repository modification).
Sanitization: Absent; there is no validation or filtering performed on the content of the override file or commit messages before processing.
[COMMAND_EXECUTION]: The skill performs several sensitive Git operations using the Bash tool, including git commit, git tag, and git push. While these are part of the intended release workflow, they can be co-opted if the agent's instructions are hijacked via the override mechanism.
[PROMPT_INJECTION]: The skill parses commit history to generate changelogs and suggest version bumps. Maliciously crafted commit messages (e.g., containing "Ignore previous instructions") could attempt to influence the agent's output or behavior during the release process.

swain-release