The Agent Skills Directory

Indirect Prompt Injection (LOW): The skill's session hooks ingest untrusted repository data, creating an injection surface.\n1. Ingestion points: Git commit messages, branch names, and status are collected in assets/hooks/session-start.sh, assets/hooks/pre-compact.sh, assets/hooks/session-complete.sh, and their PowerShell counterparts.\n2. Boundary markers: Markdown headers and code blocks are used as delimiters in the hook outputs, but there are no explicit instructions for the agent to ignore embedded commands or instructions within the data.\n3. Capability inventory: The skill is granted Bash, Write, and Edit tools as defined in SKILL.md. The hooks themselves utilize git commands and cat via functions in assets/hooks/lib/utils.sh.\n4. Sanitization: No sanitization or validation of the Git output is performed before it is outputted to the AI context.\n- Persistence (SAFE): The skill configures automated hooks in .claude/settings.local.json, which is a persistent behavior across sessions. However, this is the primary intended functionality of the skill and is clearly documented for the user during setup.

project-setup