The Agent Skills Directory

[COMMAND_EXECUTION]: Several shell command templates in 'references/invocation-patterns.md' interpolate user-controlled variables like '$prompt', '$output_text', and '$SKILL_PATH' directly into CLI strings. This creates a risk of command injection in the host environment if these variables contain shell-active characters or subcommands. The inclusion of the '--dangerously-skip-permissions' flag in some patterns further escalates this risk by allowing the agent to execute actions without user confirmation.
[PROMPT_INJECTION]: The skill facilitates model-in-the-loop evaluation by interpolating untrusted outputs from other models into grading and classification prompts. This introduces an indirect prompt injection surface.
Ingestion points: Untrusted content is ingested via the '$output_text' and '$prompt' variables in 'references/invocation-patterns.md'.
Boundary markers: The provided templates use plain text headers such as 'OUTPUT:' and 'ASSERTIONS:' but do not utilize robust delimiters or specific instructions to disregard instructions within the data.
Capability inventory: The skill uses the 'claude' CLI, which has the capability to interact with the filesystem and execute local tools.
Sanitization: No sanitization, escaping, or validation logic is defined in the documentation or templates to mitigate against malicious payloads in the processed model outputs.

bare-eval