The Agent Skills Directory

[COMMAND_EXECUTION]: The skill is highly vulnerable to shell command injection because it interpolates raw, untrusted user content and translated text directly into command-line arguments for local scripts.
Evidence: Step 2, 3, 6, and 9 use string interpolation (e.g., python scripts/language-router.py --text "{content_or_path}") to execute Python scripts. An attacker providing text containing shell metacharacters like backticks, semicolons, or subshells (e.g., $(rm -rf /)) could trigger arbitrary command execution in the context of the agent.
[DATA_EXFILTRATION]: The skill accesses sensitive and proprietary data stored in a hidden directory within the user's home folder.
Evidence: Step 1 reads from ~/.claude-marketing/brands/ and ~/.claude-marketing/sops/. These paths contain brand profiles, voice-and-tone guidelines, and standard operating procedures (SOPs) which are sensitive business assets. This content is then processed and potentially transmitted to external translation services.
[PROMPT_INJECTION]: The skill possesses a significant attack surface for indirect prompt injection as it processes untrusted content through multiple complex steps without sanitization.
Ingestion points: Content to translate input and the translated_content returned from external MCP translation servers (Step 5).
Boundary markers: None identified. The skill does not use delimiters or instructions to ignore embedded commands in the content being translated.
Capability inventory: High-risk capabilities including file system reads from the home directory and subprocess execution via Python scripts.
Sanitization: No sanitization or validation of the input content is performed before it is used in command-line execution or scoring logic (Step 6 and 9).

translate-content