The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill creates a significant attack surface by ingesting and acting upon untrusted data from the local environment.
Ingestion points: The scripts/scan_mcp.sh script reads content from src/, src-tauri/, and dev-docs/. The workflow in SKILL.md also references validation against local implementation plans.
Boundary markers: Absent. There are no instructions to the agent to distinguish between its system instructions and data found within the scanned files.
Capability inventory: The agent is authorized to modify sensitive files including .mcp.json, system hooks, and plugins, as defined in the SKILL.md workflow.
Sanitization: Absent. Content from scanned files is processed directly to guide integration work.
Data Exposure & Exfiltration (LOW): The skill identifies sensitive local configuration paths such as .mcp.json and .claude/settings.local.json. While no exfiltration logic (network calls) is present in the provided files, the exposure of these paths to an agent processing untrusted source code increases the risk of data leakage if the agent is compromised via injection.
Command Execution (LOW): The skill includes a shell script (scripts/scan_mcp.sh) that executes rg (ripgrep). The command is hardcoded to specific directories and does not directly incorporate user-controlled variables, making it low risk for direct command injection.

mcp-dev