The Agent Skills Directory

[Dynamic Execution] (MEDIUM): The skill is configured to load and apply configurations or resources from a hardcoded local path (~/.claude/skills/CORE/USER/SKILLCUSTOMIZATIONS/BeCreative/). This dynamic loading of instructions from computed paths can be exploited to override agent behavior without user awareness.
[Metadata Poisoning] (MEDIUM): The skill cites a likely fabricated or future-dated research paper (arXiv:2510.01171, which corresponds to October 2025) as a scientific foundation, suggesting deceptive metadata intended to falsely establish credibility.
[Command Execution] (LOW): All primary workflow files mandate the execution of a background bash command using curl to send POST requests to http://localhost:8888/notify. This introduces unverified local network traffic and subprocess execution that is unnecessary for the skill's creative purpose.
[Indirect Prompt Injection] (LOW): The skill processes untrusted user data by interpolating it directly into prompts (e.g., [User's creative request] in Workflows/StandardCreativity.md). Evidence: 1. Ingestion points: User requests in all workflow templates. 2. Boundary markers: Weak markdown headers (## Request). 3. Capability inventory: Subprocess execution via curl. 4. Sanitization: None detected.

BeCreative