The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection. It ingests content from numerous untrusted sources within the project (documentation files, package manifests, CI/CD configs) and uses this data to drive its output and file-writing behavior.
Ingestion points: package.json, composer.json, pyproject.toml, Cargo.toml, docs/*.md, .github/workflows/, .gitlab-ci.yml, Jenkinsfile, Dockerfile, docker-compose.yml, route/controller definitions, and .env.example.
Boundary markers: Absent. There are no instructions to use delimiters or to ignore instructions embedded within the files being analyzed.
Capability inventory: Command execution (git log, git remote -v) and file system write/modify access (root README.md, CLAUDE.md, AGENT.md, and all files in the docs/ directory).
Sanitization: Absent. Content read from the codebase is directly interpreted to deduce project descriptions and rewrite documentation sections.
[COMMAND_EXECUTION]: The skill executes shell commands to gather project metadata, specifically git log --oneline -10 and git remote -v. While these are used for context gathering, executing commands based on project state carries inherent risks if the repository or environment is malicious.

docs