The Agent Skills Directory

[COMMAND_EXECUTION]: The skill interpolates user-supplied arguments such as ${N} and ${PATHS} directly into shell commands in Phase 1b. If the agent platform does not sanitize these inputs, an attacker could execute arbitrary commands via the CLI interface.
[COMMAND_EXECUTION]: In Phase 3a, the skill extracts strings from project documentation and passes them to a shell test command: [ ! -e "$f" ]. A maliciously crafted documentation file containing shell metacharacters could lead to unintended command execution.
[PROMPT_INJECTION]: The skill has a high exposure to indirect prompt injection (Category 8). It ingests untrusted data from git diff and the codebase (Ingestion points: SKILL.md Phase 1b/1c) without boundary markers or sanitization. It has the capability to modify persistent agent instructions (Capability inventory: Write and Edit tools in Phase 5). An attacker could commit code that tricks the agent into adding malicious rules or safety bypasses to the project's permanent documentation, compromising future sessions.

update-claude