The Agent Skills Directory

Dynamic Execution (MEDIUM): The skill utilizes a PreToolUse hook to automatically execute a script located at $CLAUDE_PROJECT_DIR/.claude/hooks/workflows/system-check.sh. This pattern is risky because it executes code from an environment-relative path that could be controlled by an attacker in a shared repository, leading to command execution on the user's machine when the skill is activated.
Indirect Prompt Injection (LOW): The skill is vulnerable to indirect prompt injection because it parses the format and dependency-topic fields from untrusted plan.md files and interpolates them directly into file paths (e.g., ../technical-planning/references/output-formats/{format}/reading.md). This lacks sanitization or path validation, potentially allowing for directory traversal attacks. Evidence Chain: 1. Ingestion points: Frontmatter fields format and external_dependencies from plan.md files. 2. Boundary markers: Absent; there are no delimiters or warnings to ignore instructions within the parsed content. 3. Capability inventory: The skill has the ability to list directories (ls), read files, write to files, and execute shell commands via hooks. 4. Sanitization: Absent; the skill does not validate that format or dependency-topic are restricted to safe alphanumeric characters or existing directories.

link-dependencies