The Agent Skills Directory

[PROMPT_INJECTION]: The skill features an indirect prompt injection surface in hooks/session-start.mjs and commands/init.mjs. These scripts automatically parse files in the current working directory—such as CLAUDE.md, package.json, and README.md—to extract goals and project descriptions. This data is then injected into the agent's system prompt at the start of every session without sufficient sanitization or boundary markers, allowing a malicious repository to potentially steer the agent's instructions.
Ingestion points: The skill reads CLAUDE.md, package.json, go.mod, Cargo.toml, pyproject.toml, and README.md from the project's root directory.
Boundary markers: The extracted content is interpolated into the session context without protective delimiters or instructions to the agent to disregard embedded commands.
Capability inventory: The skill executes local Node.js scripts, performs filesystem writes to the user's home directory (under ~/.claude/ck/), and executes system git commands.
Sanitization: The extracted text is only subjected to basic whitespace trimming before being included in the agent's context.
[PROMPT_INJECTION]: The hooks/session-start.mjs hook utilizes an explicit "IMPORTANT: Display ... verbatim" instruction. This is a direct instruction injection intended to force the agent to display the project context block as its first response, overriding the model's standard greeting behavior.
[COMMAND_EXECUTION]: The skill relies on child_process.spawnSync within commands/shared.mjs and hooks/session-start.mjs to invoke the git binary. This is used to gather commit history and activity summaries (e.g., git log, git diff). While this is part of the skill's intended functionality for tracking project progress, it involves executing external CLI tools with arguments derived from the local environment.

ck