The Agent Skills Directory

[COMMAND_EXECUTION] (MEDIUM): In references/quality-criteria.md, the instructions tell the agent to 'Run documented commands (mentally or actually)' to verify their validity. Because the skill allows the Bash tool, an agent might attempt to execute arbitrary and potentially malicious code found in a CLAUDE.md file during the assessment phase.
[PROMPT_INJECTION] (LOW): The skill is highly susceptible to Indirect Prompt Injection (Category 8). It is designed to ingest and process untrusted data from CLAUDE.md files which can control the agent's output and actions.
Ingestion points: The find command and Read tool are used to locate and ingest CLAUDE.md, .claude.md, and .claude.local.md files (SKILL.md, Phase 1).
Boundary markers: None are specified; the agent processes the file content directly for scoring.
Capability inventory: The skill uses Bash and Edit tools, allowing for command execution and file modification based on the untrusted input.
Sanitization: No sanitization or validation of the content within CLAUDE.md is performed before processing.
[DATA_EXFILTRATION] (LOW): The 'Discovery' phase in SKILL.md explicitly directs the agent to search for and read ~/.claude/CLAUDE.md. Accessing files in the user's home directory outside of the current project workspace is a privacy concern and increases the risk of sensitive data exposure.

claude-md-management