The Agent Skills Directory

[COMMAND_EXECUTION]: The skill reads and modifies multiple configuration files, including ~/.claude/settings.json and project-local settings, which directly control the agent's operational permissions and tool allowlists.
[CREDENTIALS_UNSAFE]: Accesses ~/.claude/settings.json, a security-sensitive file that defines tool permissions and may contain configuration for Model Context Protocol (MCP) servers, including authentication tokens or service-specific secrets.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) from untrusted configuration data.
Ingestion points: Reads settings from potentially untrusted project directories (e.g., /.claude/settings.json).
Boundary markers: Absent; the skill does not implement delimiters or safety instructions to isolate external configuration content from the agent's logic.
Capability inventory: Possesses file-writing capabilities to modify both global and local settings files, allowing it to apply changes to the agent's security posture.
Sanitization: Absent; the instructions do not include steps to validate or sanitize the content of ingested configuration files before processing and rewriting them.

claude-permissions-audit