The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill instructions in references/correction-patterns.md under the 'Detecting the Skill's Repo' section direct the agent to read ~/.claude/skills/<skill-name>/.git/config. This file often contains sensitive information, including plain-text authentication tokens or personal access tokens embedded within remote URLs (e.g., https://<token>@github.com/...). Reading this file exposes these credentials to the agent's context.
[PROMPT_INJECTION]: The core functionality of the skill is to ingest and store natural language instructions ('corrections') that are persistently applied to the agent in future sessions. This creates a significant surface for indirect prompt injection.
Ingestion points: The agent reads instructions from ~/.claude/skill-corrections/ACTIVE_CORRECTIONS.md and individual markdown files within ~/.claude/skill-corrections/skills/.
Boundary markers: The prompt appended to the user's CLAUDE.md simply instructs the agent to 'check... and apply' the corrections without utilizing strict delimiters or instructions to treat the content as untrusted data.
Capability inventory: The skill possesses Read, Edit, Write, and Glob capabilities, allowing it to modify the agent's operating instructions and filesystem across sessions.
Sanitization: While the skill includes a 'NEVER' rule against saving corrections that bypass safety, there is no technical validation, escaping, or sanitization of the user-provided text before it is stored and later re-injected into the agent's system context.
[COMMAND_EXECUTION]: In Step 5, the skill instructions require the agent to modify the global ~/.claude/CLAUDE.md configuration file. By appending instructions to this file, the skill establishes a persistence mechanism that automatically alters the agent's behavior and system prompt for all subsequent sessions, which could be abused to maintain unauthorized behavioral overrides.

skill-learner