The Agent Skills Directory

Indirect Prompt Injection (LOW): The skill is designed to modify instructions in SKILL.md based on conversation history, creating a vector where malicious inputs could be permanently integrated into the agent's behavior. \n
Ingestion points: User feedback signals detected in the current conversation (SKILL.md, Step 2). \n
Boundary markers: Absent. The skill scans the entire chat for keywords like "No" or "Always do X". \n
Capability inventory: Writing updates to SKILL.md, CHANGELOG.md, and OBSERVATIONS.md. \n
Sanitization: Lacks automated sanitization; relies on manual user approval and natural language quality criteria.\n- Command Execution (MEDIUM): The skill uses the self-improve on and self-improve off triggers to directly execute rm and touch shell commands for state management. While limited to the skill directory, this demonstrates a capability for unconstrained local file operations.\n- Persistence (MEDIUM): The documentation encourages users to modify their global .claude/settings.local.json to include a stop hook pointing to self-improve-hook.sh. This establishes a persistent execution mechanism where the skill's analysis logic runs automatically at the end of every agent session.

skill-optimizer-lawvable