The Agent Skills Directory

[COMMAND_EXECUTION]: In SKILL.md, the instructions tell the agent to execute a shell command where user-supplied $ARGUMENTS are directly interpolated into a bash string: python3 ... $ARGUMENTS. This allows for arbitrary command execution on the host machine if the input contains shell metacharacters like ;, &&, or |.
[DATA_EXFILTRATION]: The SKILL.md file contains a hardcoded absolute file path: /Users/kikuchihiroyuki/stock-skills/.claude/skills/stock-report/scripts/generate_report.py. This discloses the system's local username and internal directory structure, which is a sensitive information leak.
[PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection. It retrieves data from external sources (Yahoo Finance, Neo4j industry research, and investment notes) and prints summaries directly to the agent's context without sanitization.
Ingestion points: Data enters the context via get_stock_detail, get_industry_research_for_sector, and get_prior_report in scripts/generate_report.py.
Boundary markers: The script lacks specific delimiters or 'ignore embedded instructions' warnings when outputting the fetched external data.
Capability inventory: The skill has access to the Bash tool (restricted to python3) as defined in the allowed-tools metadata.
Sanitization: No escaping or validation is performed on external content (e.g., industry catalysts or summaries) before it is interpolated into the agent's output.

stock-report