The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): The skill explicitly permits the Bash tool in the YAML frontmatter. This grants the agent the ability to execute arbitrary shell commands on the underlying system, which is an extremely high-risk capability.
[PROMPT_INJECTION] (HIGH): The skill defines a significant surface for Indirect Prompt Injection (Category 8).
Ingestion points: The skill allows reading external content via MCP filesystem servers, database queries (read_database), and weather API responses (get_weather).
Boundary markers: Code snippets show no use of delimiters or 'ignore embedded instructions' warnings when processing this external data.
Capability inventory: The skill pairs data ingestion with high-privilege capabilities including Bash, Write, and Edit.
Sanitization: While basic directory traversal checks are shown in examples, there is no logic to sanitize or escape instructions that might be contained within the data being read.
[EXTERNAL_DOWNLOADS] (HIGH): The skill demonstrates and encourages the use of npx to download and execute remote packages at runtime (e.g., @modelcontextprotocol/server-filesystem). While these packages are associated with the Model Context Protocol, the organization is not on the explicit whitelist for trusted sources, qualifying this as execution of unverifiable remote code.

claude-agent-sdk-tool-integration