The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes untrusted data from external skill directories.
Ingestion points: Reading SKILL.md and other files within the target skill's path.
Boundary markers: The workflow lacks delimiters or specific instructions to treat audited content as data rather than instructions, potentially allowing a malicious skill to hijack the auditing process.
Capability inventory: The agent can read arbitrary files in the target path and write generated markdown reports to the local .claude/audits/ directory.
Sanitization: The skill does not validate or sanitize the content of the files it reads before evaluating them.

audit-skill-completeness