The Agent Skills Directory

[DATA_EXFILTRATION]: The skill interacts with the local filesystem, specifically within the ~/.claude-marketing/ directory. The implementation uses a dynamic {slug} variable to construct paths such as ~/.claude-marketing/brands/{slug}/profile.json. This introduces a potential path traversal vulnerability if the slug value—which is loaded from a separate file—can be manipulated to include parent directory references (e.g., ../../), potentially allowing the agent to read sensitive files outside the intended directory.
[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by design. It loads guidelines, compliance rules, and standard operating procedures (SOPs) from external files and is instructed to "apply" them to its current task. If any of these files are compromised or contain adversarial instructions, the agent's behavior could be redirected.
Ingestion points: Multiple local files including ~/.claude-marketing/brands/{slug}/profile.json, skills/context-engine/compliance-rules.md, ~/.claude-marketing/brands/{slug}/guidelines/_manifest.json, and files within ~/.claude-marketing/sops/.
Boundary markers: The process lacks explicit delimiters or instructions to treat the loaded content as data rather than instructions, increasing the risk of the agent obeying commands embedded within those files.
Capability inventory: The skill utilizes several specialized agents (marketing-strategist, analytics-analyst, cro-specialist) to perform data analysis and modeling; while no direct system-level command execution is shown, the high-level analysis can be subverted.
Sanitization: There is no evidence of sanitization or validation of the content loaded from the filesystem or the {slug} variable before they are used in path construction or prompt context.

funnel-audit