The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill describes a mechanism where external markdown files (Skills and Output Styles) are directly injected into the AI's system prompt. This creates a surface where untrusted plugin content can override core agent behavior.
Ingestion points: commands/*.md, output-styles/*.md, and plugin.json metadata.
Boundary markers: No evidence of sanitization or delimiters is described for the content being injected into the prompt.
Capability inventory: The system supports Bash, Write, Edit, and Read tools, providing high-impact capabilities to potentially injected instructions.
Sanitization: The documentation does not specify any sanitization or validation of external content before it is interpolated into the prompt.
[Remote Code Execution] (HIGH): The documentation explains how to install plugins from arbitrary remote Git repositories and marketplaces, which leads to the execution of unverified third-party scripts.
Evidence: references/advanced-topics.md provides commands for adding arbitrary Git URLs as marketplaces: claude plugin marketplace add https://gitlab.com/org/repo.git.
[Privilege Escalation] (HIGH): The documentation details the use of the --allowedTools flag to bypass the interactive user confirmation process for sensitive tools like Bash or file modification, allowing the agent to operate autonomously without oversight.
Evidence: references/headless-ci-mode.md explicitly describes using --allowedTools to "Auto-approve specific tools without interactive prompts."
[Command Execution] (MEDIUM): The skill contains multiple examples of Bash scripts (e.g., status line integrations) that parse session data and execute shell commands.
Evidence: references/advanced-topics.md includes a Bash script using jq to process model and cost information from stdin.

plugin-structure