The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructs the agent to execute complex shell commands where multiple variables are interpolated directly into strings. If variables such as <working-dir>, <reason>, or <file-path> are influenced by untrusted external input or malicious project files, an attacker could execute arbitrary code. Examples include:
echo -n "/absolute/path/to/project" | sha256sum: A path containing shell metacharacters (e.g., ;, `) could trigger command execution.
git commit -m "<reason> | ...": A malicious commit reason could escape the commit message and execute shell commands.
git checkout <hash> -- <file-path>: An attacker could potentially influence the file path to manipulate files outside the intended scope if the agent does not strictly validate the input.
[DATA_EXFILTRATION]: The skill's primary function involves creating a complete copy of the project's working directory in a hidden location (~/.claude/projects/). While it includes a default list of ignored files (like .env), any sensitive files not explicitly covered by the rigid .gitignore template will be mirrored into this hidden directory, increasing the attack surface for sensitive data exposure.

checkpoint