The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/session-entry.sh and corresponding documentation in references/session-management.md implement a health check mechanism that reads a command string from the health_check field of a local configuration file (.claude/config/project.json) and executes it using the eval command. This enables arbitrary command execution on the host environment if the configuration file is provided by an untrusted source or included in a malicious project repository.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its session resumption and context loading logic. (1) Ingestion points: The agent is instructed to read session summaries from the shared /tmp/summary/ directory and project-specific files such as .claude/progress/checkpoint_summary.md and .claude/config/project.json. (2) Boundary markers: The resumption templates in references/session-resumption.md interpolate these summaries directly into the agent's prompt context without using delimiters or instructions to ignore embedded commands. (3) Capability inventory: The skill possesses significant capabilities including shell command execution (eval), filesystem manipulation (mkdir, jq, cat), and git operations. (4) Sanitization: No sanitization or validation of the content retrieved from these external files is performed before it is processed or executed.

orchestrator