The Agent Skills Directory

[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface because it ingests and processes untrusted project data (manifests, config files, and existing rules) to dynamically generate and install executable instructions.\n
Ingestion points: references/context-analysis.md describes scanning untrusted files such as package.json, .cursorrules, .windsurfrules, and CLAUDE.md to infer project conventions.\n
Boundary markers: references/validation-rules.md defines a 12-point rubric to score generated skills, requiring a score of 9+ for installation.\n
Capability inventory: SKILL.md authorizes the agent to write generated skills and references to the .claude/skills/ and .agents/skills/ directories.\n
Sanitization: SKILL.md and references/validation-rules.md explicitly prohibit the inclusion of secrets, credentials, tokens, or machine-specific private data in generated outputs.\n- [COMMAND_EXECUTION]: The agent is designed to author skills that utilize shell commands (using ! syntax) for runtime state injection. While it provides templates for common tools like git and gh, the ability to generate and install such commands based on repository analysis poses a risk if the source files are maliciously crafted.

Sigil