The Agent Skills Directory

PROMPT_INJECTION (HIGH): Significant surface for Indirect Prompt Injection (Category 8).
Ingestion points: The skill explicitly reads and processes SKILL.md, scripts/, and references/ files from untrusted third-party skills provided by the user in Phase 1, Phase 3, and Phase 6.
Boundary markers: While the SKILL.md provides a 'False Positive Guide' and instructions to 'evaluate intent', it lacks programmatic boundary markers or strict delimiters to prevent the agent from obeying instructions embedded within the scanned content.
Capability inventory: The skill is granted Bash, Read, Grep, and Glob. The Bash capability allows for arbitrary command execution on the host system.
Sanitization: No programmatic sanitization or escaping of the untrusted skill content is described before the agent processes it.
COMMAND_EXECUTION (MEDIUM): The skill requires the Bash tool to execute its bundled analysis script.
Evidence: SKILL.md instructs the use of uv run ${CLAUDE_SKILL_ROOT}/scripts/scan_skill.py <skill-directory>.
Risk: The presence of Bash combined with the ingestion of untrusted data (Category 8) allows a successful injection attack to escalate to arbitrary code execution.
EXTERNAL_DOWNLOADS (LOW): The use of uv run may trigger the download of Python dependencies defined in the script metadata.
Evidence: uv run is used in Phase 2.
Note: Without the contents of scripts/scan_skill.py, the specific dependencies cannot be verified, but uv is a standard tool for managing reproducible environments.

skill-scanner