The Agent Skills Directory

[DATA_EXFILTRATION]: The skill explicitly directs the agent to scan the .claude/skills/ directory during its information-gathering phase. This is an internal system path used by the AI platform to manage installed capabilities and metadata. Accessing such paths can expose internal configuration, installed tool lists, and other sensitive system metadata.
[PROMPT_INJECTION]: The skill is highly vulnerable to Indirect Prompt Injection. It ingests data from untrusted sources—including web search results, YouTube subtitles downloaded at runtime, and external PDFs—to 'distill' the personality and rules for its AI advisors. These sub-agents are instructed to 'completely enter the role' based on this content without boundary markers or sanitization, allowing a malicious external source to embed instructions that could override the agent's safety protocols or intended behavior.
[COMMAND_EXECUTION]: The skill relies on sub-agents executing shell commands (e.g., bash mkdir -p) and invokes external CLI utilities such as yt-dlp. The parameters for these commands are derived from user-provided URLs and generated file paths. While intended for file management, providing the agent with instructions to run arbitrary bash commands based on research data increases the risk of command injection if the input contains malicious shell meta-characters.
[EXTERNAL_DOWNLOADS]: The skill includes functionality to download data from external servers at runtime. Specifically, it uses a Rust-based tool to fetch subtitles from YouTube and utilizes various research agents to scrape content from the web to populate its research files.

council