The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) due to its core functionality of ingesting and processing untrusted data from multiple external sources.
Ingestion points: The skill reads .md, .local.md, and .examples.md files from various project paths defined in a user-provided configuration file. It also reads the user's global Claude Code settings (~/.claude/settings.json).
Boundary markers: There are no explicit instructions or architectural safeguards (like XML tags or specific delimiters) defined in the skill to prevent the agent from obeying instructions embedded within the rule files being merged.
Capability inventory: The skill utilizes Read, Write, Grep, and restricted Bash tools (ls, mkdir, wc) to process file content and generate new rule files. While shell access is restricted, the ability to write new rule sets creates a 'poisoning the well' risk where the agent's future behavior is compromised by the merged output.
Sanitization: The skill performs semantic merging and conversion using 'AI judgment' but does not specify any sanitization or validation of the input text to filter out command-like language or malicious instructions.
Risk: An attacker could include a malicious rule in a project's source file. When this skill merges it, the malicious instruction could be promoted to a high-level Principle in the final output, which the agent might then follow in subsequent sessions.

merge-rules