The Agent Skills Directory

Indirect Prompt Injection (LOW): The skill's primary purpose is to review and refactor user-provided code in the templates/ directory, which creates a surface for instructions embedded in those files to influence agent behavior.
Ingestion points: The skill uses the Read tool to ingest content matching templates/**/*.*.
Boundary markers: Absent. The instructions do not include delimiters or warnings for the agent to ignore instructions found within the templates being reviewed.
Capability inventory: The skill has access to Read, Write, and Edit tools, allowing it to modify the file system based on potentially malicious input.
Sanitization: Absent. No logic is provided to filter or sanitize the content of the files before processing.
Command Execution (LOW): The 'Memory Protocol' section explicitly instructs the agent to execute a cat command in a bash block.
Evidence: The protocol mandates running cat .claude/context/memory/learnings.md before starting tasks. While this is a common pattern for local agent 'memory', it involves executing shell commands to access files outside the declared globs scope.

additional-htmx-and-flask-instructions