The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses a bash block in Step 2 to execute a Python script while interpolating the user-supplied <path> argument. If the agent does not properly sanitize this input, it could lead to command injection where an attacker provides a path containing shell metacharacters (e.g., ; rm -rf /) to execute arbitrary commands.
[REMOTE_CODE_EXECUTION]: The skill attempts to execute a Python script memory_map.py located at ${CLAUDE_PLUGIN_ROOT}/scripts/. This script is not provided within the skill package, making its contents and security posture unverifiable.
[EXTERNAL_DOWNLOADS]: The command uses uv run, which may trigger automatic downloads and installations of Python environments or packages from public registries if they are not already cached locally, potentially leading to the execution of untrusted third-party code.
[PROMPT_INJECTION]: The skill represents an indirect prompt injection surface (Category 8). Ingestion points: Reads CLAUDE.md, ~/.claude/rules/*.md, and auto-memory files. Boundary markers: No delimiters or ignore instructions are specified. Capability inventory: Uses Bash, Read, Grep, and Glob tools. Sanitization: No sanitization or validation of the ingested markdown content is performed before processing.

solo-memory-audit