The Agent Skills Directory

[COMMAND_EXECUTION]: Use of dynamic context injection to execute shell commands silently at runtime.
Evidence: Multiple occurrences of the !command syntax in SKILL.md used to execute ${CLAUDE_PLUGIN_ROOT}/bin/ops-infra, ops-prs, ops-ci, and ops-unread.
Evidence: A shell loop in SKILL.md that uses jq to parse ${CLAUDE_PLUGIN_ROOT}/scripts/registry.json and then cat to read up to 30 lines of various .planning/STATE.md files based on paths in the registry.
Risk: These commands execute automatically when the skill is loaded without user confirmation. While intended for data gathering, they represent unvetted shell execution that injects local file content into the agent's context.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8).
Ingestion points: SKILL.md reads data from preferences.json, daemon-health.json, topics_active.md, registry.json, and multiple project-specific STATE.md files.
Boundary markers: Absent. External data is interpolated directly into the prompt context without delimiters or instructions to ignore embedded commands.
Capability inventory: The skill has access to sensitive tools including Bash, WebFetch, SendMessage, TaskCreate, and several Linear/Slack MCP tools.
Sanitization: Absent. No validation or escaping is performed on the content of the ingested files.
Risk: If an attacker or a malicious process can modify the STATE.md files or other ingested configuration files, they can inject instructions that the agent may execute using its available tools.

ops-next