The Agent Skills Directory

[COMMAND_EXECUTION]: The skill performs extensive filesystem reconnaissance using 'find', 'ls', and 'cat' on sensitive locations including the user's home directory (~/.claude/) and plugin caches to identify executable logic.
[REMOTE_CODE_EXECUTION]: It implements a dynamic execution pattern that invokes any agent or skill found during discovery. The instructions explicitly command the agent to 'follow the skill's instructions exactly' and 'Execute the skill completely' for these external resources, which could execute malicious code from compromised plugins.
[DATA_EXFILTRATION]: The skill accesses and reads global configuration files like 'installed_plugins.json' and various markdown files within the ~/.claude/ directory, aggregating internal system and plugin metadata into the AI's context.
[PROMPT_INJECTION]: The skill contains 'Power Enhancement Mode' instructions that command the agent to bypass all relevance filtering and execute every discovered resource ('Do NOT filter agents by relevance
run them ALL', 'run them ALL... 40+ parallel agents is fine'). This overrides standard safety and operational constraints, facilitating the execution of potentially harmful third-party instructions.
[PROMPT_INJECTION]: The workflow processes untrusted data from a plan file to drive sub-agent selection (Ingestion point: #$ARGUMENTS). It lacks explicit boundary markers or sanitization for the plan content, and its capability inventory includes broad file-read, command-execution, and dynamic tool-invocation across all discovered plugins, making it vulnerable to indirect prompt injection.

deepen-plan