The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): The Logging Protocol section contains a shell command injection vulnerability. The bash command uses string interpolation for variables like SKILL_NAME, PROJECT_PATH, and BRIEF_CONTEXT within a single-quoted string. If an attacker controls a directory name (PROJECT_PATH) or a task description (BRIEF_CONTEXT) containing a single quote ('), they can terminate the string and execute arbitrary commands on the host system.\n- [PROMPT_INJECTION] (LOW): The skill employs 'The Iron Rule' and 'The Bottom Line' sections with imperative instructions such as 'ALWAYS log', 'No silent applications', and 'No exceptions'. These patterns attempt to override the agent's operational discretion and force the execution of the logging subprocess regardless of context or safety considerations.\n- [DATA_EXFILTRATION] (SAFE): The skill aggregates sensitive metadata (working directory paths and task descriptions) into a central log file at ~/.claude/skills/skill-usage.jsonl. While this data collection creates a privacy risk, the analysis found no network-enabled commands (e.g., curl, wget) that would transmit this file to an external destination.

skill-awareness