The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): The skill facilitates the execution of shell scripts and Python commands. Specifically, scripts/new_skill.sh is provided and executes directory creation (mkdir -p) and file writing (cat >). Additionally, SKILL.md references two Python scripts (quick_validate.py and package_skill.py) that are not included in the provided file list but are intended to be executed on the user's system.
[PROMPT_INJECTION] (HIGH): The skill is highly susceptible to Indirect Prompt Injection (Category 8).
Ingestion points: User-provided 'use cases' and 'phrasing' (Step 1 in SKILL.md) are directly used to draft instructions and frontmatter.
Boundary markers: None are present; the skill lacks delimiters or instructions to ignore embedded commands in the user input during the generation process.
Capability inventory: The skill has file-write capabilities (new_skill.sh) and command execution capabilities (Python scripts mentioned in Packaging).
Sanitization: There is no sanitization or escaping of the untrusted user input before it is written into the new SKILL.md file via the cat command in new_skill.sh. An attacker could provide a use case that includes malicious instructions intended for the agent that eventually loads the generated skill.
[COMMAND_EXECUTION] (MEDIUM): The script scripts/new_skill.sh allows for a user-specified --path argument. While there is a regex check on the skill_name, there is no validation of the skills_root path, which could allow an agent to be manipulated into creating directories or overwriting (via cat >) files in unintended locations if the agent allows path overrides.

anthropic-skill-creator