The Agent Skills Directory

PROMPT_INJECTION (LOW): The skill is vulnerable to indirect prompt injection because it interpolates user-provided text into a command template that is then saved to the filesystem. \n- Ingestion points: User input enters via the #$ARGUMENTS placeholder in SKILL.md. \n- Boundary markers: There are no delimiters or specific safety instructions to prevent the agent from following malicious instructions embedded in the arguments. \n- Capability inventory: Generated commands are designed to use Bash (shell execution), Playwright (browser automation), WebFetch (network), and GitHub (gh cli), and are written to the persistent .claude/commands/ directory. \n- Sanitization: There is no evidence of sanitization or safety checks applied to the content before it is written to the command files.

generate_command