The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because its core function involves reading and analyzing arbitrary text files provided by the user, which could contain malicious instructions designed to subvert the agent's behavior.
Ingestion points: External files and entire directories (e.g., .claude/agents/) are read into the agent's context using the Read and Glob tools based on user input or automated discovery.
Boundary markers: The skill does not define or implement boundary markers (like XML tags or specific delimiters) for the data it ingests during the analysis phase, making it difficult for the agent to distinguish between its own instructions and content within the target files.
Capability inventory: Across its scripts, the skill utilizes the Read, Write, Edit, Grep, and Glob tools. This gives it the capability to modify any file on the filesystem that it is directed to process, which could be exploited if an injection attack is successful.
Sanitization: There is no evidence of sanitization, validation, or filtering of the content read from external files before it is processed by the LLM logic.
[DATA_EXFILTRATION]: While the skill has broad filesystem access (Read, Write, Edit), the platform configuration (YAML frontmatter) restricts it to a set of tools that do not include network access (e.g., no curl, wget, or fetch). This significantly mitigates the risk of automated data exfiltration to external domains.

text-optimizer