The Agent Skills Directory

Data Exposure & Exfiltration (HIGH): The skill is designed to crawl and read session history logs from hidden directories in the user's home folder (~/.claude/, ~/.pi/, ~/.codex/). These transcripts contain historical command outputs, code, and potentially sensitive environment variables or secrets exposed during previous agent sessions.
Indirect Prompt Injection (HIGH): The skill creates an automated pipeline for processing untrusted data (historical transcripts) and using it to dictate the creation or modification of other executable skills.
Ingestion points: ~/.claude/projects/, ~/.pi/agent/sessions/, and ~/.codex/sessions/ via the extract-session.js script.
Capability inventory: The skill workflow prompts the agent to "Write the improved skill back to the same location," granting it file-write capabilities over the skill system.
Boundary markers: Uses XML-style tags (<session_transcript>), which can be trivially bypassed by an attacker who places a closing tag and new instructions inside a previous session log.
Sanitization: No sanitization is performed on the transcript content before it is interpolated into the improvement prompt.
Command Execution (MEDIUM): The skill executes a local JavaScript file (./scripts/extract-session.js) to perform file system operations. While the script is local, its purpose is to access and parse sensitive application data from multiple agent platforms.

improve-skill