The Agent Skills Directory

[PROMPT_INJECTION] (HIGH): Vulnerable to Indirect Prompt Injection via external data ingestion.
Evidence Ingestion points: 'workflows/create-new-skill.md' (Step 2) and 'workflows/verify-skill.md' (Step 4) fetch documentation and library details using WebSearch, WebFetch, and Context7 tools.
Boundary markers: No specific delimiters or instructions to ignore embedded commands are used when processing external content.
Capability inventory: The skill can create directories, write files, and execute shell scripts ('workflows/add-script.md', 'workflows/create-new-skill.md').
Sanitization: No sanitization or validation logic is applied to the content retrieved from external sources before it is used to generate skills or scripts.
[REMOTE_CODE_EXECUTION] (HIGH): Dynamic creation and execution of scripts and installation of external dependencies.
Evidence: 'workflows/add-script.md' includes steps to create bash/python scripts and execute them using 'scripts/{script-name}.sh'. 'references/executable-code.md' provides examples for installing packages via 'pip install'.
Risk: Combining this with the Indirect Prompt Injection vector allows an attacker to control the scripts generated and executed by the agent.
[COMMAND_EXECUTION] (MEDIUM): Extensive use of shell commands for filesystem management and process control.
Evidence: Commands such as 'mkdir', 'ls', 'cat', 'chmod +x', and direct execution of local scripts are integrated throughout multiple workflows including 'workflows/audit-skill.md' and 'workflows/verify-skill.md'.
[CREDENTIALS_UNSAFE] (LOW): Recommends centralizing all API credentials in a single local file.
Evidence: 'references/api-security.md' advises storing all sensitive tokens in '~/.claude/.env'. While this prevents exposure in chat logs, it creates a single point of failure and a high-value target for exfiltration if the agent is compromised.

create-agent-skills