The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill creates executable file structures and metadata based on user-provided 'name and description'. This represents a critical attack surface where malicious input could trick the agent into writing unauthorized content into the 'scripts/' or 'references/' directories.
Ingestion points: User-provided skill name, description, and content during the 'Initialization' and 'Creation' phases (SKILL.md).
Boundary markers: Absent. The instructions do not specify any delimiters or ignore-instructions for the user content.
Capability inventory: File system write access, directory creation, and 'Packaging' (zip file creation) (SKILL.md).
Sanitization: Absent. There is no mention of validating or escaping user content before it is used to generate the skill structure.
[Command Execution] (MEDIUM): The 'Packaging' and 'Validation' features imply the execution of system-level commands or Python scripts to create zip archives and verify file structures. While the implementation details are hidden, the capability to bundle generated scripts into distributable formats is a high-capability risk factor.
[Data Exfiltration] (MEDIUM): The integration with Rube for Slack (SLACK_SEND_MESSAGE, SLACK_POST_MESSAGE_WITH_BLOCKS) provides a direct network path to an external environment. An attacker could use the skill-creation process to scrape local data and send it to a Slack channel under the guise of 'skill discovery'.

skill-share