The Agent Skills Directory

[PROMPT_INJECTION]: The SKILL.md file uses aggressive and imperative language to override the agent's decision-making process. Statements such as "ABSOLUTELY MUST", "not negotiable", "not optional", and "You cannot rationalize your way out of this" are designed to force compliance and bypass the agent's typical reasoning filters.
[PROMPT_INJECTION]: The "Red Flags" section in SKILL.md specifically attempts to suppress the agent's internal logic and caution, instructing it to ignore thoughts like "I need more context first" or "Let me explore the codebase first" in favor of immediate skill invocation.
[PROMPT_INJECTION]: By establishing a protocol where any file appearing to be a skill must be loaded and followed exactly, the skill creates an indirect prompt injection surface. An attacker who can place a file in the environment (e.g., via a git repo or user upload) could use this protocol to force the agent to execute malicious instructions.
Ingestion points: The agent is instructed to read skills directly and access memory files in .claude/context/memory/.
Boundary markers: No specific markers or delimiters are defined to separate skill instructions from the core system prompt or safety guidelines.
Capability inventory: The skill utilizes Read, Glob, and Grep tools, which are used to find and ingest external content.
Sanitization: There is no evidence of sanitization or validation of the content within the discovered skills before they are "followed exactly".
[SAFE]: The provided Node.js scripts (main.cjs, pre-execute.cjs, post-execute.cjs) contain boilerplate logic for argument parsing and hook execution with no identified security risks such as command injection, network access, or sensitive file exposure.

skill-discovery