The Agent Skills Directory

[INDIRECT_PROMPT_INJECTION]: The skill processes untrusted data from past transcripts to generate persistent agent configurations, creating a significant injection surface.
Ingestion points: Reads project transcript files (.jsonl) from ~/.claude/projects/ in Step 3.
Boundary markers: Absent. The subagent prompts in Step 4 do not include delimiters or instructions to ignore embedded commands within the transcript content.
Capability inventory: The skill has the capability to write to ~/.claude/commands/, ~/.claude/skills/, and modify CLAUDE.md files (Step 9).
Sanitization: The protocol explicitly states "no PII scrubbing layer" and lacks validation of the extracted content before presenting it for promotion.
[COMMAND_EXECUTION]: The skill uses a complex shell pipeline in Step 1 to rank projects by activity. The use of xargs -I {} sh -c on directory paths derived from project names could be vulnerable to command injection if a project directory name contains shell metacharacters.
[DATA_EXFILTRATION]: The skill accesses and processes the user's entire Claude Code transcript history (~/.claude/projects/). This data is sent to subagents for analysis. As the skill lacks scrubbing mechanisms, sensitive information, credentials, or private code discussed in past sessions are exposed to the analysis process.

audit-transcripts-for-learnings