The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill ingests untrusted data from .claude/cache/learnings/*.md. If these files contain malicious instructions (e.g., from a previously browsed website or processed file), the skill may incorporate them into permanent rules or scripts. There are no boundary markers or sanitization logic mentioned for these inputs.
[Remote Code Execution] (HIGH): The process in Step 7 involves generating and executing arbitrary shell scripts (.sh) and TypeScript/Node.js code. It explicitly uses chmod +x to make these generated scripts executable.
[Persistence Mechanisms] (HIGH): The core purpose is creating persistence. It writes to .claude/rules/ and .claude/skills/, and more critically, it modifies .claude/settings.json to register new hooks that run automatically on events like SessionEnd or PostToolUse.
[Command Execution] (MEDIUM): The skill utilizes the Bash tool to perform filesystem operations and execute the generated code. While intended for automation, this capability can be abused if the generated content is malicious.
[Mitigation Note] (INFO): The skill includes an AskUserQuestion step before applying changes, which serves as a human-in-the-loop check. However, an attacker could craft the 'Rationale' or 'Pattern Name' to be deceptive, potentially tricking a user into approving a malicious artifact.

compound-learnings