The Agent Skills Directory

[PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection by ingesting data from external files that may be attacker-controlled.
Ingestion points: Scans and reads content from SKILL.md files (first 10 lines) and project-level convention files like agents.md, CLAUDE.md, and .cursorrules.
Boundary markers: Absent; no delimiters or 'ignore' instructions are defined to prevent the agent from following instructions embedded within the scanned content.
Capability inventory: The skill performs file system writes to .atl/skill-registry.md, modifies the project's .gitignore file, and uses a mem_save tool to persist data.
Sanitization: Extracted content like triggers and descriptions is interpolated directly into the registry markdown without validation or escaping.
[DATA_EXFILTRATION]: The skill scans multiple hidden application configuration directories in the user's home folder, specifically targeting ~/.claude/skills/, ~/.config/opencode/skills/, ~/.gemini/skills/, ~/.cursor/skills/, and ~/.copilot/skills/. While targeted at skill subdirectories, this involves traversing sensitive application configuration paths.
[COMMAND_EXECUTION]: The skill includes logic to automatically modify the project's .gitignore file if it exists, which constitutes an automated modification of project configuration and directory visibility.

skill-registry