The Agent Skills Directory

[PROMPT_INJECTION]: The 'Act-Learn-Reuse' pattern establishes a workflow where untrusted data from the codebase is ingested and promoted into the agent's persistent memory (expertise files). 1. Ingestion points: Files within the codebase are analyzed using Read, Grep, and Glob tools, and git diff output is used during the 'self-improve' phase. 2. Boundary markers: The templates do not define delimiters or specific instructions to help the agent distinguish between data and embedded instructions. 3. Capability inventory: The skill grants Read, Write, Grep, and Glob permissions. The templates also incorporate Bash, Edit, and WebFetch for specialized experts. 4. Sanitization: There is no mention of filtering or sanitizing content before it is written to the expertise.yaml or command files.
[COMMAND_EXECUTION]: The skill facilitates the creation of agents that can modify their own executable environment. The 'Expert Creation Process' details a structure where agents write new Markdown files to .claude/commands/experts/, which serve as new command definitions. If an attacker injects instructions into the codebase that are subsequently processed by a 'self-improve' agent, they could potentially trigger the creation of malicious commands or scripts within the agent's configuration directory.

agent-expert-creation