The Agent Skills Directory

Indirect Prompt Injection (SAFE): The skill aggregates data from git commit messages and session logs into reports. While this represents an ingestion surface for untrusted data, the processing is performed via standard utilities (jq, grep, sed) and the output is presented as a markdown report for user review. No evidence of immediate instruction interpolation was found.
Ingestion points: session_*.jsonl, corrections/*.jsonl, and git commit history.
Boundary markers: Reports use markdown tables and code blocks to delimit data.
Capability inventory: The skill can execute local bash commands and write to the local filesystem within the workspace hub.
Sanitization: Data is processed through jq, ensuring correct JSON escaping; however, commit messages and tool inputs are not specifically sanitized for markdown injection beyond standard formatting.
Dynamic Execution (SAFE): The install-hooks.sh script generates local bash hooks from embedded templates and configures the agent to execute them during tool usage. This is the primary intended function of the skill (providing reflection and logging) and does not involve remote code or obfuscated payloads.
Command Execution (SAFE): The scripts make extensive use of bash, git, and jq to perform analysis. Subprocess calls (e.g., in analyze-history.sh) are handled using timeout and positional parameters to mitigate risks associated with string interpolation.

claude-reflect