The Agent Skills Directory

[COMMAND_EXECUTION]: The skill utilizes the codex exec --yolo command. This flag is designed to bypass user confirmation for model-generated actions, which significantly increases the risk of unintended or malicious operations being executed autonomously.
[PROMPT_INJECTION]: The skill ingests untrusted data from the codebase (e.g., file context and dependency graphs) and interpolates it directly into agent prompts. The absence of strict boundary markers or sanitization logic makes the system vulnerable to indirect prompt injection where instructions embedded in the analyzed code could hijack the agent's behavior.
Ingestion points: SKILL.md (Task prompt section) reads $TARGET_FILE and $ARGUMENTS via tldr commands.
Boundary markers: Absent from prompt templates.
Capability inventory: Access to Bash, Read, Grep, Glob, and codex exec --yolo capabilities.
Sanitization: No sanitization or validation of the ingested content is performed before prompt interpolation.
[COMMAND_EXECUTION]: The prompt construction logic employs shell-style command substitution (e.g., $(tldr structure .)) to inject dynamic context. This pattern can lead to command injection if the inputs to these underlying tools are manipulated.
[DATA_EXFILTRATION]: The skill accesses platform-specific configuration files such as ~/.claude/settings.json. While used for model selection, accessing such files could potentially expose environment settings if the logic is exploited.

bugs