The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection in Phase 1, where it parses untrusted external data such as 'Claude Code release notes' fetched from the web or user-provided goal changes. Malicious instructions embedded in these external sources could be misinterpreted as valid 'upgrade signals,' potentially leading the agent to propose harmful modifications to the system's agents or hooks.
[COMMAND_EXECUTION]: The skill performs extensive local command execution via the Bash tool. It runs several local Python scripts including scripts/learning-db.py, scripts/upgrade-diff.py, and hooks/sync-to-user-claude.py. It also utilizes standard shell utilities like grep, ls, and git for auditing and version control operations.
[DATA_EXFILTRATION]: Phase 6 (DEPLOY) involves a 'sync' operation where modified agents, skills, and hooks are copied to the ~/.claude/ directory. While this is the intended deployment mechanism for the platform, it represents a write operation to a sensitive user configuration path that should be monitored.
[PROMPT_INJECTION]: The skill implements an 'Auto-Approve' optional behavior that, if enabled by the user, bypasses the mandatory human-in-the-loop approval gate between planning and implementation. Enabling this significantly increases the risk that an indirect prompt injection could result in automated, malicious system modifications.

system-upgrade