The Agent Skills Directory

[COMMAND_EXECUTION]: The workflows CreateSkill.md, UpdateSkill.md, and CanonicalizeSkill.md instruct the agent to execute shell commands such as mkdir, touch, and mv using user-defined placeholders like [SkillName] and [target-path]. This creates a vulnerability surface where a malicious user could potentially execute arbitrary commands if input sanitization is not enforced by the agent.- [PROMPT_INJECTION]: The skill employs strong, behavior-shaping language, declaring itself a 'MANDATORY' framework and the 'AUTHORITATIVE SOURCE' for all skill-related tasks. This is an attempt to override the agent's standard operating procedures in favor of the skill's specific architecture.- [PROMPT_INJECTION]: The skill exposes an indirect prompt injection surface by ingesting user input to generate or modify skill files. 1. Ingestion points: User-provided skill names, descriptions, and triggers in CreateSkill.md and UpdateSkill.md. 2. Boundary markers: No delimiters are used to wrap external content or warn the agent about embedded instructions. 3. Capability inventory: Filesystem manipulation via mkdir, touch, and mv. 4. Sanitization: No explicit validation or escaping of user strings is performed before they are written to disk or used in command-line execution.

Createskill