The Agent Skills Directory

[Dynamic Execution] (MEDIUM): The skill is designed to load and apply configurations and resources from a local path (~/.claude/skills/CORE/USER/SKILLCUSTOMIZATIONS/Council/) to override its default logic. This dynamic loading mechanism allows local files to modify the agent's core behavior, serving as a potential vector for persistent prompt injection. Evidence: SKILL.md.
[Command Execution] (LOW): The skill executes a curl POST request to http://localhost:8888/notify for voice notifications. While localhost is a whitelisted domain for exfiltration analysis, the use of unauthenticated shell-based network calls remains a minor risk surface. Evidence: SKILL.md.
[Indirect Prompt Injection] (LOW): The debate and quick workflows interpolate untrusted data (user-provided topics and agent transcripts) directly into subsequent prompts without sanitization. 1. Ingestion points: [Topic] and [Full Round 1 transcript]. 2. Boundary markers: Absent; the data is injected into instructions without delimiters. 3. Capability inventory: File reading and shell command execution (curl). 4. Sanitization: No validation or escaping is performed on the ingested content. Evidence: Workflows/Debate.md, Workflows/Quick.md.

Council