The Agent Skills Directory

[COMMAND_EXECUTION]: The instruction in SKILL.md to execute python campaign-tracker.py --brand {slug} --action list-campaigns performs direct shell command execution. The variable {slug} is derived from session context or user input and is interpolated directly into the command string without visible sanitization or escaping, creating a high risk for command injection attacks if the slug is maliciously crafted.
[DATA_EXFILTRATION]: The skill is configured to read sensitive data from hidden local directories, specifically ~/.claude-marketing/brands/{slug}/profile.json and ~/.claude-marketing/brands/{slug}/guidelines/_manifest.json. Accessing files in hidden user directories is categorized as a high-risk data exposure pattern as these locations often contain configuration secrets or personal identifiable information.
[PROMPT_INJECTION]: The skill possesses a significant attack surface for indirect prompt injection.
Ingestion points: Gathers complex, untrusted data from users regarding 'Business Model', 'Current Funnel State', and 'Tech Stack' (SKILL.md).
Boundary markers: No delimiters or instructions to ignore embedded commands are present in the prompt templates.
Capability inventory: The skill has the capability to execute local Python scripts (campaign-tracker.py) and read from the local file system.
Sanitization: There is no documented evidence of input validation, escaping, or sanitization before processing this data or using it in shell commands.

funnel-architect