The Agent Skills Directory

EXTERNAL_DOWNLOADS (MEDIUM): The documentation and installation script promote the global installation of the @matrixy/auto-skill npm package and encourage users to add community skills from arbitrary repositories via npx skills add owner/repo. These sources are outside the trusted organization scope.\n- REMOTE_CODE_EXECUTION (MEDIUM): The skill executes npm install -g and npx commands, which download and execute code from the npm registry. The install-cli.sh script automates this process, potentially bypassing manual review of the package contents.\n- DYNAMIC_EXECUTION (MEDIUM): The skill's core functionality involves observing agent tool sequences, generating SKILL.md files from these patterns, and loading them into the active session. This runtime assembly of instructions from observed behavior is a form of dynamic code loading that could be manipulated to execute unintended logic.\n- INDIRECT_PROMPT_INJECTION (LOW): The skill creates an attack surface where malicious data processed by the agent could influence the 'workflow patterns' detected and subsequently turned into active skills.\n
Ingestion points: Pattern detection logic in SKILL.md monitors all tool calls via a PostToolUse hook.\n
Boundary markers: Uses text delimiters (e.g., SKILL LOADED) but lacks cryptographic signing or integrity checks for generated skills.\n
Capability inventory: Capable of writing files to ~/.claude/skills/auto/ and injecting those instructions into the LLM context.\n
Sanitization: No evidence of sanitization or safety filtering for the observed tool sequences before they are converted into permanent skills.

auto-skill-guide