The Agent Skills Directory

[PROMPT_INJECTION]: The skill employs strong behavioral overrides referred to as 'STOP PROTOCOL' with instructions like '절대 위반 금지' (Never Violate) and '최우선 규칙' (Top Priority Rule). These are designed to control the agent's interaction flow during a workshop but technically constitute an instruction to disregard standard operational flexibility.
[COMMAND_EXECUTION]: The skill instructs the agent to execute commands that modify the local environment, specifically creating files in .claude/skills/ and modifying the .mcp.json configuration file via the claude mcp add command.
[EXTERNAL_DOWNLOADS]: The skill triggers the download and installation of external MCP servers from the NPM registry. These include @modelcontextprotocol/server-slack, @notionhq/notion-mcp-server, and @modelcontextprotocol/server-gdrive. These are recognized as well-known and trusted services.
[CREDENTIALS_UNSAFE]: The instructions guide the agent to ask the user for sensitive API keys (e.g., SLACK_BOT_TOKEN, NOTION_API_KEY) and then pass them as environment variables via the command line (-e SLACK_BOT_TOKEN=...). While necessary for the tool's functionality, passing secrets through CLI arguments is a sub-optimal security practice as they may appear in process logs.
[INDIRECT_PROMPT_INJECTION]: The skill creates a system that ingests untrusted data from external sources (Slack messages, Notion pages, and Google Sheets).
Ingestion points: Data is pulled from external APIs in references/block3-parallel-collection.md and templates/context-sync.md.
Boundary markers: Absent. The templates do not define clear delimiters or instructions to treat the fetched content as untrusted data.
Capability inventory: The agent has the capability to write files (SKILL.md creation) and modify tool configurations (.mcp.json).
Sanitization: Absent. No explicit sanitization or filtering logic is provided for the collected content before it is processed into a summary.

session2-tools