The Agent Skills Directory

[COMMAND_EXECUTION]: The skill includes bash scripts located in the hooks/ directory (pre-tool.sh, post-bash.sh, session-end.sh) and provides instructions for the user to configure the agent to execute these scripts automatically during tool usage and session lifecycle via ~/.claude/settings.json.
[PROMPT_INJECTION]: The skill's primary mechanism involves extracting patterns from interaction data to programmatically update other skill files. This creates a large attack surface for indirect prompt injection, where an adversary can provide malicious input that the agent 'learns' as a permanent rule, effectively poisoning the agent's future behavior across all skills.
[COMMAND_EXECUTION]: The agent is explicitly instructed to use Write and Edit tools to modify the contents of other AI agent skills on the local filesystem. This capability allows the agent to change its own or other skills' logic based on potentially untrusted interaction history.
[DATA_EXFILTRATION]: The skill aggregates interaction history, logs, and extracted patterns into a centralized memory store located at ~/.claude/memory/. While stored locally, this collection of semantic and episodic data contains sensitive session context that could become a target for exfiltration if accessed by other malicious tools or commands.

self-improving-agent