The Agent Skills Directory

[COMMAND_EXECUTION]: The skill executes shell commands using 'cp -r' for skill installation and 'node' for integration discovery. These commands interpolate variables such as '[role_group]' and '[skill-name]' which are retrieved from local configuration files and user profiles. This usage pattern can lead to command injection if the underlying files are manipulated to include shell metacharacters.
[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface. 1. Ingestion points: The skill reads data from 'System/usage_log.md', 'System/user-profile.yaml', and the YAML frontmatter (name, description, jtbd, time_investment) of uninstalled skills located in '.claude/skills/_available/'. 2. Boundary markers: There are no explicit delimiters or instructions provided to the agent to ignore instructions embedded within these external files. 3. Capability inventory: The skill has the capability to execute shell commands ('cp', 'node') and perform file system writes ('System/usage_log.md'). 4. Sanitization: No evidence of validation, escaping, or filtering of the ingested external content is present. The combination of reading untrusted metadata and possessing shell execution capabilities creates a risk that malicious data could influence agent behavior or execute commands.

dex-level-up