The Agent Skills Directory

[COMMAND_EXECUTION]: The skill constructs and executes shell commands using user-provided input in the 'Create new skill' menu option (Option 5). It instructs the agent to run python3 .claude/skills/skill-creator/scripts/init_skill.py [skill-name] using a name provided by the user. The lack of explicit sanitization instructions for this specific input poses a risk of command injection (e.g., a user providing a name like my-skill; rm -rf /).
[COMMAND_EXECUTION]: Step 7 employs shell redirection (echo >>) to append content to existing documentation files. While filenames generated in Step 4 are sanitized, the use of variables like $REAL_FILE (derived from grep results) and conversation context within shell commands without strict escaping could lead to unintended command execution if those values contain shell metacharacters.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data from the conversation history to generate structured documentation.
Ingestion points: Conversation history in Step 2, where symptoms, root causes, and module names are extracted.
Boundary markers: Absent; the skill does not use delimiters or instructions to treat the gathered context as untrusted data.
Capability inventory: The skill has access to powerful tools including Bash (used for grep, mkdir, echo, cat, and script execution) and Write (used for file creation).
Sanitization: Filename sanitization is implemented in Step 4; however, no sanitization or escaping is performed on the documentation content itself before it is written to the file system or passed to shell commands.

compound-docs