The Agent Skills Directory

PROMPT_INJECTION (HIGH): The 'config-manager' sub-skill performs automatic discovery of review skills by scanning the entire workspace using the pattern **/SKILL.md. It reads and extracts the 'name' and 'description' fields from any matching file. This data is then stored in a configuration file and used in executor/scripts/launch-subagents.sh to generate prompts for the Task tool. Because the skill names are interpolated into these prompts without sanitization or escaping, an attacker can place a malicious SKILL.md file in the repository (e.g., in a node_modules or temp directory) containing quote characters to break the prompt string and inject arbitrary subagent instructions or parameters.
COMMAND_EXECUTION (MEDIUM): Multiple scripts (merge-configs.sh, validate-config.sh) depend on the external binary yq. While yq is a common utility, it is an unverifiable system dependency. Furthermore, merge-configs.sh performs complex yq eval operations on content aggregated from multiple configuration files, including those populated by the insecure workspace discovery process, which could lead to unexpected behavior or exploitation of the yq evaluator.
DATA_EXFILTRATION (LOW): The skill reads from and writes to sensitive user-level directories including ~/.claude and ~/.config. While this is intended for configuration persistence, the broad workspace scanning (**/SKILL.md) means the agent may inadvertently process and store metadata from unrelated or sensitive project subdirectories.

code-review