The Agent Skills Directory

PROMPT_INJECTION (LOW): The skill is vulnerable to indirect prompt injection via the $ARGUMENTS variable. [1] Ingestion points: User tasks are interpolated into the prompt in SKILL.md. [2] Boundary markers: XML-style tags are present but lack explicit instructions for the AI to ignore instructions embedded within the user data. [3] Capability inventory: The skill can trigger code modification (/code) and git commits (/commit). [4] Sanitization: No input sanitization or validation is performed.
COMMAND_EXECUTION (LOW): The skill triggers workflow commands and dynamically activates other skills from the local .claude/skills/ directory. This execution flow is controlled by the interpreted intent of user-provided tasks, which may lead to unintended tool invocation if the input is adversarial.

cook-auto