The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection. It is designed to ingest and process content from a user-specified codebase ($ARGUMENTS) using tools like Read, Grep, and Glob. If these target files contain malicious instructions, the agent or its sub-agents may follow them, as the prompts defined in references/agent-spawn-definitions.md lack explicit directives to ignore instructions within the data being assessed.
Ingestion points: Target files identified during phase 1 and phase 1.5 (SKILL.md, references/scope-discovery.md).
Boundary markers: Present (## Scope Constraint headers), but they do not explicitly instruct the model to disregard embedded commands in the file content.
Capability inventory: Access to Bash, Write, TaskCreate, and the ability to spawn background Agent processes with tool access.
Sanitization: There is no evidence of sanitization or filtering of ingested codebase content.
[COMMAND_EXECUTION]: The complexity breakdown rules in rules/complexity-breakdown.md provide guidance for executing a local shell script ./scripts/analyze-codebase.sh. This script is not included in the skill's distribution, creating a dependency on an unverifiable external executable that the agent may attempt to run via the Bash tool.
[REMOTE_CODE_EXECUTION]: The skill includes a PreToolUse hook in SKILL.md that executes an external JavaScript file (run-hook.mjs) located in a system-level path (${CLAUDE_PLUGIN_ROOT}/hooks/bin/). This script is executed automatically in the background whenever the Read tool is invoked.

assess