The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses the Bash tool to execute a command that directly interpolates the $ARGUMENTS (as the <path> variable) into a shell string: uv run python ${CLAUDE_PLUGIN_ROOT}/scripts/memory_map.py <path> --audit. This pattern is susceptible to command injection if a maliciously crafted path containing shell metacharacters (e.g., ;, &&, or |) is provided.
[COMMAND_EXECUTION]: A secondary fallback command in Step 2 also interpolates the unvalidated <path> argument into a python execution string, maintaining the same risk of arbitrary command execution on the host system.
[PROMPT_INJECTION]: The skill establishes an indirect prompt injection surface by instructing the agent to read and analyze the content of untrusted project files (CLAUDE.md, .claude/rules/*.md, and MEMORY.md) without sufficient safeguards.
Ingestion points: The skill reads project-level configuration, rules, and memory files in Step 3 and Step 5 to generate the audit report.
Boundary markers: Absent. The instructions do not provide delimiters or "ignore embedded instructions" directives when processing the content of the audited files.
Capability inventory: The skill has access to powerful tools including Bash, Read, Grep, and Glob, which could be exploited if instructions inside audited files are followed.
Sanitization: No validation, filtering, or escaping of the content found within the project files is performed before the data is processed by the agent.

solo-memory-audit