The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted Markdown content from various locations (plugins, project, and user directories) and passes that content to subagents for analysis.
Ingestion points: Style files located in plugins/*/output-styles/, .claude/output-styles/, and the user's home directory (~/.claude/output-styles/).
Boundary markers: Absent; there are no specified delimiters or instructions to ignore embedded commands within the style files.
Capability inventory: The skill has access to Bash, Read, Write, Edit, Glob, Grep, and Task tools.
Sanitization: Absent; no validation or escaping of the style file content is performed before it is processed by the auditor subagents.
[DATA_EXFILTRATION]: The skill is configured to read files from the user's home directory (~/.claude/output-styles/ or %USERPROFILE%\.claude\output-styles\). While this is intended for accessing configuration styles, it allows the agent to access and aggregate data from outside the active project folder into logs and temporary files.
[COMMAND_EXECUTION]: The skill utilizes the Bash tool and spawns subagents to perform its auditing tasks. While the workflow is structured, the combination of executing shell commands and spawning agents while processing content from untrusted local files creates an attack surface where a malicious style file could attempt to trigger unauthorized commands through the agent's logic.

audit-output-styles