The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection via the $ARGUMENTS variable. 1. Ingestion points: $ARGUMENTS in SKILL.md. 2. Boundary markers: Uses <investigation_request> tags to wrap untrusted input. 3. Capability inventory: Includes full shell command execution in Step 2, file system reading in Step 3, system tool discovery (command -v), and MCP tool access. 4. Sanitization: No explicit technical sanitization; relies on instructions for 'Reproduction Safety' evaluation and user confirmation.
[COMMAND_EXECUTION]: Step 2 of the investigation procedure explicitly directs the agent to execute the same operation the user performed, including shell commands, to reproduce the reported behavior first-hand. This allows for execution of arbitrary system commands if the input is malicious.
[DATA_EXFILTRATION]: The skill performs discovery of local system capabilities in Step 0, which includes searching for network-capable tools like curl and inspecting agent configuration files in ~/.claude/agents/.

find-cause