The Agent Skills Directory

[COMMAND_EXECUTION]: The skill executes local Python and Bash scripts (scripts/detect-mechanical.py and scripts/find-installed-skills.sh) to perform session audits and locate installed tools. These scripts are run via the Bash tool to analyze project structure and history.
[DATA_EXFILTRATION]: The skill accesses sensitive local directories including ~/.claude/projects/ (project logs) and ~/.claude-coach/events.sqlite (event history). It has the capability to transmit processed data to external repositories via git push, gh, and glab as part of its 'materialization' phase which creates Pull Requests.
[PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8) because it uses an LLM to enrich findings from untrusted data sources.
Ingestion points: Reads and parses session transcripts and project logs from ~/.claude/projects/<slug>/*.jsonl.
Boundary markers: Absent; there are no explicit delimiters or instructions provided to the agent to ignore potentially malicious instructions embedded in the analyzed transcripts.
Capability inventory: Possesses high-privilege capabilities including local file modification (Write, Edit) and the ability to branch, commit, and push code to remote repositories.
Sanitization: Absent; the workflow does not describe a sanitization or escaping process for content extracted from transcripts before it is used to generate materialization proposals.

retro