The Agent Skills Directory

[COMMAND_EXECUTION]: The search subcommand is vulnerable to shell command injection. The user-provided TERM is interpolated directly into a bash command (python3 ~/.claude/scripts/learning-db.py search "TERM") without sanitization. This allows a user to execute arbitrary shell commands by including metacharacters like ;, &, or $(). Additionally, the graduate subcommand uses TOPIC and KEY values fetched from a database to construct a bash command (python3 ~/.claude/scripts/learning-db.py graduate TOPIC KEY "target:file/path"), which could lead to command injection if the database content is influenced by malicious input.
[PROMPT_INJECTION]: The skill contains a surface for indirect prompt injection within the graduate subcommand logic.
Ingestion points: Knowledge entries are read from scripts/learning.db via the learning-db.py script (relative to the user home directory). These entries are generated by external background processes like nightly 'auto-dream cycles'.
Boundary markers: Absent; the skill does not use delimiters or specific instructions to the agent to treat the database content as potentially unsafe data.
Capability inventory: The skill utilizes Bash, Edit, Read, and Grep tools, providing the capability to modify files and execute commands across the repository.
Sanitization: Absent; the skill relies on the LLM's internal evaluation and a manual user approval step rather than programmatic sanitization or validation of the database content before it is written to skill files using the Edit tool.

retro