The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through its auto-discovery mechanism. Ingestion points: Reads metadata from SKILL.md files in ~/.claude/skills/ and .claude/skills/ directories. Boundary markers: No delimiters or ignore instructions are specified for the extracted metadata. Capability inventory: Includes file system scanning, command file generation in .claude/commands/, and execution of complex command pipelines. Sanitization: While parameter types are validated, there is no mention of sanitizing or escaping the names, descriptions, or routing targets extracted from the discovered skills before using them in command registration. This allows potentially malicious local content to influence the command registry.
[COMMAND_EXECUTION]: The skill framework facilitates dynamic command generation and registration by automating the creation of command definition files based on metadata gathered from other skills. It supports the execution of complex shell-like pipelines involving parallel fan-out, sequential processing, and conditional branching. This system of mapping external metadata to executable CLI commands represents a significant dynamic execution surface that could be exploited if malicious skills are present in the scanned directories.
[EXTERNAL_DOWNLOADS]: The skill provides integration and routing for well-known AI services such as Gemini and Codex via their respective CLI tools. These are documented neutrally as standard integration points for multi-model capabilities.

slash-command-encoder