The Agent Skills Directory

[Prompt Injection / Indirect Injection] (HIGH): The /wrap-session and /reflect commands analyze untrusted conversation history to automatically generate and save project rules in .claude/rules/. An attacker can inject instructions into the conversation that trick the agent into creating rules that persistently override its future safety constraints or operational logic. This lacks any sanitization or boundary markers for the ingested content.
[Command Execution] (MEDIUM): The skill relies extensively on shell command execution via the git CLI (add, commit, push, log) and system utilities like mkdir. In commands/wrap-session.md, it constructs complex multi-line shell commands for git commits using heredocs.
[External Downloads] (MEDIUM): The /release workflow requires external tools gitleaks and npm audit to be present in the execution environment. While these are common security tools, the skill invokes them as unverified dependencies.
[Data Exfiltration] (LOW): The /wrap-session command initiates git push operations, which transmit repository content to remote servers. This constitutes a network-based data transfer that, while functional, is a point of exposure.

project-workflow