The Agent Skills Directory

[DATA_EXFILTRATION]: The skill exhibits a path traversal vulnerability in the preset loading logic. In WORKFLOW.md (Section 1.5), the orchestrator constructs a file path by interpolating the user-supplied {name} from the --preset argument into a Read tool call: ${CLAUDE_SKILL_DIR}/../../presets/{name}.md. A lack of validation on the {name} variable allows an attacker to use directory traversal sequences (e.g., ../../) to read arbitrary files, provided they end in or can be interpreted with the .md extension.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection.
Ingestion points: Untrusted data enters the agent context via the startup idea text and research documents referenced with the @file argument (WORKFLOW.md Section 1.1).
Boundary markers: The workflow uses markdown headers such as '## Idea' and '## Research Context' to separate untrusted data in sub-agent prompts (WORKFLOW.md Section 2.2 and 2.3).
Capability inventory: The orchestration environment possesses Read, Write, and Agent tools, which could be abused if an injection is successful (SKILL.md).
Sanitization: The orchestrator summarizes research documents into bullet points before inclusion in prompts (WORKFLOW.md Section 2.1), which provides some protection but does not fully eliminate the risk of instruction override.

startup-validating