The Agent Skills Directory

[COMMAND_EXECUTION]: The skill executes local Python scripts with dynamic arguments based on brand data. Evidence: Steps 10 and 11 execute scripts/performance-monitor.py and scripts/campaign-tracker.py using the {slug} variable. This represents a command execution surface within the agent's environment.\n- [DATA_EXFILTRATION]: The skill accesses sensitive marketing and business data stored in the user's home directory. Evidence: Step 1 reads brand profiles, compliance rules, and guidelines from ~/.claude-marketing/brands/. While intended for context, accessing private application data in the home directory is a significant data exposure risk.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection by processing untrusted data from external platforms. Evidence:\n
Ingestion points: Data is pulled from external analytics MCPs (Google Analytics, Meta Marketing, etc.) in Step 3 and read from profile.json in Step 1.\n
Boundary markers: None identified in the skill instructions to separate platform data from agent instructions.\n
Capability inventory: The agent has the ability to execute local scripts (performance-monitor.py, campaign-tracker.py) and read/write to the local filesystem.\n
Sanitization: No sanitization or validation of the external metrics or profile data is mentioned before it is processed or used in script execution.

performance-check