The Agent Skills Directory

[COMMAND_EXECUTION]: The shell script template templates/claude/hooks/dir-jail.sh is vulnerable to command injection. The script takes a file path ($TARGET) and interpolates it directly into a python3 -c command string using single quotes. A file path containing a single quote followed by Python code (e.g., '); import os; os.system('... ) would lead to arbitrary command execution when the hook is executed during tool calls such as Read or Write. This is particularly critical as the script is intended to serve as a security control.
[DYNAMIC_EXECUTION]: The hook scripts provided in the templates utilize python3 -c to execute dynamically constructed Python snippets for path normalization. While intended as a utility, this pattern introduces a code execution vector if inputs are not strictly sanitized before interpolation into the command string.
[INDIRECT_PROMPT_INJECTION]: The skill facilitates the creation of workflows by embedding 'source content' provided by users into configuration and instruction files. This process lacks sanitization or the use of boundary markers, creating an ingestion point for untrusted data that could influence the behavior of agents operating within the generated environment.
Ingestion points: SKILL.md (Step 1: Gather Requirements
Source content).
Boundary markers: Absent in the provided templates and instructions.
Capability inventory: The generated workflows typically allow file operations (Read, Write, Edit, Glob, Grep) and occasionally shell access.
Sanitization: No sanitization or validation of the user-provided content is implemented.

create-locked-down-skill