The Agent Skills Directory

[DATA_EXFILTRATION]: The skill is configured to automatically search for and read potentially sensitive files including CLAUDE.md and the entire contents of a memory/ directory in the workspace. This automated ingestion exposes project context, business logic, and history to multiple sub-agent instances without per-file user consent.
[PROMPT_INJECTION]: The skill creates a surface for indirect prompt injection by ingesting external data into complex sub-agent prompts. 1. Ingestion points: The skill reads project files (CLAUDE.md, memory/ folder) and the user question. 2. Boundary markers: While triple-dash separators are used, the prompts lack explicit instructions for sub-agents to ignore instructions contained within the ingested data. 3. Capability inventory: The skill uses Glob to find files, Read to extract content, and Write to save session transcripts to the file system. 4. Sanitization: No evidence of input validation or escaping for the file-based context is present.
[COMMAND_EXECUTION]: The automated execution of file system exploration tools (Glob and Read) to locate and ingest project context occurs as a background step, which can lead to unintended access to private developer data if sensitive information is stored in the targeted directory structures.

council