The Agent Skills Directory

Prompt Injection (HIGH): The references/audit-framework.md file contains several instructions marked as 'MANDATORY' and 'CRITICAL' that attempt to override the agent's analytical capabilities. It explicitly instructs the auditor to 'never skip' steps that limit findings to those found in 'official documentation' and declares findings 'INVALID' if they cannot be verified externally. This is a self-referential defense mechanism designed to suppress security analysis findings.
Indirect Prompt Injection (HIGH): The 'Suggest Parallelization' hook (references/inventory/active-hooks.md) analyzes user-submitted prompts and 'injects a system reminder into Claude's context'.
Ingestion point: User prompts analyzed in active-hooks.md.
Boundary markers: Absent in the description of context injection.
Capability inventory: Full Bash tool access and Write/Edit capabilities across the framework.
Sanitization: Not documented; the hook directly influences the system context based on external input.
Command Execution (HIGH): The core functionality involves registering and executing arbitrary shell commands and scripts (Bash, .NET, Python) in response to tool usage (e.g., PreToolUse). Registration in .claude/settings.json allows for execution of any command path, providing a high-privilege execution vector.
Dynamic Execution (MEDIUM): The framework supports multi-language implementations, including .NET 10 with AOT compilation. Scripts are dynamically loaded and executed via wrapper scripts (dotnet-run.sh), increasing the complexity and potential attack surface for runtime injection.

hook-management