The Agent Skills Directory

[COMMAND_EXECUTION]: The skill's configuration guide recommends interpolating untrusted agent tool parameters, such as ${tool.params.command} and ${tool.params.task}, directly into shell commands. This creates a command injection vulnerability where a malicious input containing shell metacharacters could execute arbitrary code on the host system.
[DATA_EXFILTRATION]: The skill provides examples of hooks that target sensitive files such as production.env for backups and validation, which could lead to exposure of credentials if the automated notifications or metric exports include this data.
[EXTERNAL_DOWNLOADS]: The skill requires the installation of the claude-flow CLI tool from an external registry (npm install -g claude-flow@alpha) and uses npx to execute remote packages.
[REMOTE_CODE_EXECUTION]: Supports 'Custom Hook Creation' which involves executing arbitrary JavaScript files (e.g., .claude$hooks$custom-quality-check.js) as part of the tool execution flow, enabling arbitrary code execution within the agent's environment.
[INDIRECT_PROMPT_INJECTION]:
Ingestion points: Tool parameters like command, file_path, task, and pattern from the agent context are used in shell commands.
Boundary markers: The examples use single quotes in shell commands (e.g., '${tool.params.command}'), which is insufficient for preventing command injection in many shell environments.
Capability inventory: Shell command execution via npx, Git repository modification, and file system access (Read/Write/Backup).
Sanitization: No sanitization or validation of the interpolated parameters is documented in the hook configuration.

Hooks Automation