The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): The installation process modifies the global ~/.claude/settings.json file to register permanent PermissionRequest and Stop hooks. This persistence mechanism allows external scripts to intercept and approve sensitive operations, representing a significant security bypass and unauthorized privilege modification of the agent's core safety controls.
[PROMPT_INJECTION] (LOW): The skill implements an automated security reviewer vulnerable to indirect prompt injection (Category 8). It evaluates untrusted data to determine command safety without sufficient isolation or instruction-data separation.
Ingestion points: TOOL_INPUT in auto-approve.sh and the session transcript in continue-check.sh.
Boundary markers: Absent; the prompts used for the Haiku reviewer do not employ delimiters or security instructions to prevent the model from obeying instructions hidden within the tool inputs.
Capability inventory: The hook scripts can auto-approve any tool execution (e.g., shell commands, file writes) and prevent the agent from stopping after a task completion.
Sanitization: None; input is base64-encoded for transport but decoded and processed as instructions by the reviewer model.
[DATA_EXFILTRATION] (LOW): The skill reads your conversation transcript and tool inputs (which may contain sensitive information from files read) and transmits this data to an external LLM for decision-making.

auto-approve