The Agent Skills Directory

[NO_CODE]: The skill consists entirely of Markdown and YAML configuration files (SKILL.md, references/audit-rubric.md, agents/openai.yaml, references/personalization-rubric.md) providing instructions and diagnostic rubrics. It does not contain any executable scripts or binary components.
[DATA_EXPOSURE]: The instructions direct the agent to analyze local environment data, such as shell history (~/.bash_history), session transcripts, and local skill installation directories (e.g., ~/.claude/skills). While these sources may contain personal or sensitive data, this access is necessary for the skill's stated purpose of personalizing workflows to the user's environment. The skill performs no network operations, and no data exfiltration mechanisms were detected.
[INDIRECT_PROMPT_INJECTION]: The skill's primary function is to process potentially untrusted external data, such as other Agent Skills or session transcripts, which could contain malicious instructions. However, the risk is mitigated as this skill lacks any dangerous capabilities (e.g., file-writing, subprocess execution, or network access) that could be leveraged in an exploit. 1. Ingestion points: Workflow steps in SKILL.md and evidence surfaces defined in references/audit-rubric.md. 2. Boundary markers: Absent from the instructions. 3. Capability inventory: No subprocess calls, exec/eval functions, file-write operations, or network access patterns are present in the skill files. 4. Sanitization: audit-rubric.md explicitly instructs the agent to prefer sanitized examples in reports.

skill-personalizer