The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8) because it processes untrusted session data to automate file operations and search commands. 1. Ingestion points: The skill scans the session history for referenced skills, executed commands, observed patterns, and friction points. 2. Boundary markers: No explicit markers or delimiters are provided to separate the ingested session data from the agent's internal logic. 3. Capability inventory: The skill can execute search commands (find, grep) and write files to the local file system (~/.claude/learnings/). 4. Sanitization: There is no evidence of sanitization or validation of the strings extracted from the session history before they are used in shell commands or file paths.
[COMMAND_EXECUTION]: The skill dynamically constructs shell commands using variables extracted from the user's conversation history. Evidence: The search instruction 'find ~/.claude/plugins/cache -name "*.md" | xargs grep -l "{component-name}"' uses a placeholder for the component name that could be manipulated by crafted session content to include flags (e.g., -f) or other arguments. Evidence: The file-saving logic uses 'mkdir -p ~/.claude/learnings/projects/{project-slug}/feedback/{type}/' where the project-slug and type are derived from the session, creating a potential path traversal vulnerability if these strings are not properly escaped.

propose-forge-improvement