The Agent Skills Directory

[COMMAND_EXECUTION]: In Step 4 of the process, the skill executes a local script using the pattern brand-voice-scorer.py --brand {slug} --text "{translated_content}". The direct interpolation of the {translated_content} variable into a shell command line within double quotes is dangerous. An attacker providing content containing shell metacharacters (e.g., backticks, $(...), or escaping the double quotes) could achieve arbitrary command execution on the host system.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through its primary data ingestion points.
Ingestion points: Untrusted data enters the agent context via the 'Original content' and 'Translated content' inputs in SKILL.md, which accept raw text, local file paths, or remote URLs.
Boundary markers: The process description does not specify the use of delimiters (like XML tags or triple quotes) or 'ignore' instructions to isolate the content from the agent's instructions.
Capability inventory: The skill has the capability to execute multiple subprocesses (language-router.py, eval-runner.py, brand-voice-scorer.py) and read from various local filesystem paths.
Sanitization: There is no evidence of sanitization or validation of the ingested content before it is passed to the scoring scripts or processed by the agents.
[DATA_EXFILTRATION]: The skill accesses sensitive local directories, including ~/.claude-marketing/brands/ (which contains brand profiles, do-not-translate terms, and guidelines) and ~/.claude-marketing/sops/. Because the skill also supports fetching content from user-provided URLs, there is a risk that the agent could be manipulated via indirect prompt injection to read the contents of these sensitive local files and exfiltrate them to a remote server under the attacker's control.

multilingual-score