The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8).
Ingestion points: The agent is instructed to read potentially attacker-controlled files such as README.md, CLAUDE.md, and various source code files across the repository (e.g., SKILL.md Step 1, examples/exploration-patterns.md Example 1).
Boundary markers: There are no explicit instructions to use delimiters or to disregard natural language instructions found within the files being analyzed.
Capability inventory: The skill utilizes ls, grep, glob, and read capabilities to process and retrieve file contents.
Sanitization: No sanitization or validation logic is defined to protect against malicious instructions embedded in the codebase being navigated.
[DATA_EXFILTRATION]: The skill includes instructions to locate sensitive file paths and environment configurations.
Evidence: In SKILL.md, under Step3_ConfigurationDiscovery, it uses glob: **/{.env*,docker-compose*,Dockerfile} to identify environment files that often contain secrets.
Evidence: Under FindConfiguration, it uses grep: (process\.env|os\.environ|env\.) to locate where environment variables are accessed, which can expose sensitive configuration keys.

codebase-navigation