The Agent Skills Directory

[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface as it ingests untrusted data from external ad platform APIs and incorporates it into a generated HTML slide deck.
Ingestion points: Data is pulled via mcp__motion__get_creative_insights, mcp__motion__get_creative_summary, and mcp__motion__get_workspace_brand (specifically hooks, headlines, and brand guidelines).
Boundary markers: The instructions do not define any delimiters or system-level warnings to separate these external strings from the agent's logic.
Capability inventory: The agent has the capability to read local files, execute vendor tools, and generate complex HTML/CSS output which can be rendered by the user.
Sanitization: There are no instructions to sanitize or escape the external strings before they are placed into the HTML document, creating a risk if the source data contains malicious scripts or redirects.
[DATA_EXFILTRATION]: The skill performs lateral filesystem access by reading files located in a sibling skill's directory.
Evidence: In Phase 1b, the skill reads ${CLAUDE_SKILL_DIR}/../creative-strategist/SKILL.md and related reference files. While used for methodology consistency, this practice accesses data outside the skill's own scope and could be leveraged to discover or extract metadata from other installed skills if the environment is not properly isolated.

weekly-performance