The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection. It processes untrusted data from external files and analyzes it using an LLM without explicit boundary markers or instructions to ignore embedded agent commands. Since the skill has the capability to write/edit files and execute bash commands, a malicious instruction inside a processed file could be followed by the agent.
Ingestion points: The target file path provided in the <file> argument.
Boundary markers: The skill instructions suggest skipping frontmatter and code blocks, but it lacks specific delimiters or warnings to ignore instructions embedded in the analyzed text paragraphs.
Capability inventory: Read, Write, Edit, Bash, Grep, Glob.
Sanitization: None mentioned.
[PROMPT_INJECTION]: The 'instruction' mode logic explicitly targets and removes hard negative constraints like 'NEVER', 'do NOT', and 'FORBIDDEN'. If this skill is applied to security-critical instructions or system prompts, it could inadvertently neutralize safety protections by converting strict prohibitions into potentially ambiguous positive framing.
[COMMAND_EXECUTION]: The skill uses the Bash tool to execute local system commands, including grep and a Python script located at ~/.claude/scripts/scan-negative-framing.py. While functional, this represents a mechanism for executing code on the host machine.

joy-check