The Agent Skills Directory

[COMMAND_EXECUTION]: The skill automates the modification of the global security configuration file ~/.claude/settings.json. It maps specific requests to broad wildcard permissions such as Bash(npm *) and Read(~/**), effectively bypassing the agent's per-execution security prompts and granting persistent wide-scale access to the system.
[COMMAND_EXECUTION]: During the verification step, the skill executes subprocesses using strings extracted from untrusted image data (e.g., which <command> and <command> --version). An attacker could craft an image containing malicious commands that would be executed by the agent during this validation process.
[DATA_EXFILTRATION]: The skill accesses sensitive file paths including the global configuration directory ~/.claude/ and the user's personal documents at ~/Documents/screenshot/. While no external network transfer is documented, this constitutes unauthorized exposure of private user data and security configurations.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. Ingestion point: ~/Documents/screenshot/ (SKILL.md). Boundary markers: None (no instructions to ignore text within images). Capability inventory: File write access to ~/.claude/settings.json and subprocess execution via which. Sanitization: None (no validation or escaping of text extracted from images before use in configuration or command execution).

allow-permissions