The Agent Skills Directory

Command Execution (MEDIUM): The skill provides a Bash pattern for appending updates that is vulnerable to shell command injection. * Evidence: The 'Token Optimization' section demonstrates a pattern using a heredoc (cat >> "$CURRENT_SESSION" <<EOF) where the $ARGUMENTS variable is interpolated without sanitization. If an agent or script executes this, malicious content in $ARGUMENTS such as subshells or backticks would be executed by the shell. Additionally, the variable $CURRENT_SESSION is derived from local file content without validation, creating another injection vector.
Indirect Prompt Injection (LOW): The skill interpolates untrusted user arguments and local metadata into session logs without sanitization or boundary markers. * Ingestion points: Data enters via the $ARGUMENTS variable and local files like .claude/sessions/.current-session and .claude/cache/todos/summary.json. * Boundary markers: Delimiters or 'ignore embedded instructions' warnings are absent in the logic. * Capability inventory: The skill performs file reading (cat, jq), file appending (cat >>), and git metadata retrieval. * Sanitization: No escaping or validation of external content is performed before interpolation.

session-update