The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/propose.py executes the claude CLI tool using the subprocess.run function. While the execution uses a fixed list of arguments and passes variable input safely through standard input (stdin) rather than shell arguments, the reliance on external binaries for core logic is a notable behavior.- [PROMPT_INJECTION]: The skill exhibits a vulnerability surface for indirect prompt injection. It ingests content from external sources, including target skill files (SKILL.md) and failure traces, which are then interpolated into an LLM prompt to generate improvement candidates. Maliciously crafted instructions within these ingested files could potentially influence the LLM's output, leading to the generation of harmful execution plans.- [PROMPT_INJECTION]: The following evidence chain supports the indirect prompt injection finding: (1) Ingestion points: The skill reads contents from SKILL.md and JSON files provided via --trace and --source arguments. (2) Boundary markers: The prompt construction in scripts/propose.py uses basic Markdown headers to separate user-controlled data from system instructions, which may be insufficient to prevent sophisticated injection attacks. (3) Capability inventory: The skill generates JSON artifacts containing an execution_plan that defines filesystem operations (like append_markdown_section) to be performed by other tools. (4) Sanitization: There is no evidence of content validation or escaping of the ingested data before it is sent to the LLM, nor verification of the LLM's output before it is written to the candidate JSON artifact.

improvement-generator