The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill possesses a high-risk attack surface due to its core management functions.
Ingestion points: The skill uses read_file and grep to ingest the content of SKILL.md files from any subdirectory in the environment (e.g., SKILL.md from other potentially malicious skills).
Boundary markers: There are no markers or delimiters used when processing external skill content to distinguish between instructions and data.
Capability inventory: The agent is explicitly authorized to read and write (modify) other skill files via the 'Repair' logic, and it can execute shell commands (grep, npx).
Sanitization: No sanitization or validation is performed on the content extracted from external skills before it is summarized and written back to the filesystem.
Command Execution (MEDIUM): The skill utilizes shell commands (grep, npx, bun) to perform its tasks. The grep command uses wildcard path expansion (${SKILL_DIR}/../*/SKILL.md), which allows it to access data across the entire skill ecosystem, increasing the impact of any potential injection.
External Downloads (LOW): The execution of npx -y bun triggers a download of the bun runtime from the npm registry if it is not already present in the environment. While npm is a standard source, runtime fetching adds a layer of dependency risk.

skill-manager