The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and internalizes the content of local markdown files (stored in .claude/handoffs/*.md) to determine the agent's next actions.
Ingestion points: The agent reads handoff documents from the .claude/handoffs/ directory within the project root.
Boundary markers: The instructions do not include specific boundary markers or instructions to the agent to ignore potentially malicious commands embedded within the handoff markdown body.
Capability inventory: The skill has access to file system operations (mkdir, mv) and git commands (git rev-parse, git status). Additionally, the agent is instructed to internalize the file content to guide subsequent actions, which may involve any tools available in the agent's environment.
Sanitization: There is no explicit validation or sanitization of the handoff file content before it is processed by the agent.

resume-session-handoff