The Agent Skills Directory

[COMMAND_EXECUTION]: Persistence mechanism via SessionStart hook.
File: references/change-tracking.md contains instructions for the agent to modify ~/.claude/settings.json to include a SessionStart command: /home/user/toprank/bin/toprank-change-watch.
This ensures that an external, unverified binary is executed every time the agent session is initialized.
[COMMAND_EXECUTION]: Use of hardcoded local script paths for critical functionality.
File: references/change-tracking.md instructs the agent to execute /home/user/toprank/bin/toprank-change-watch ics ... > ~/review.ics to generate calendar files.
The skill assumes the existence of and executes code from a non-standard local path outside the skill's own directory or standard tool environment.
[PROMPT_INJECTION]: Surface for Indirect Prompt Injection via Google Ads data.
Ingestion points: The skill reads search_terms and keywords text from the Google Ads API (File: SKILL.md, references/search-term-analysis-guide.md).
Boundary markers: None. There are no instructions to the model to ignore or delimit instructions that might be embedded within search queries or keyword metadata.
Capability inventory: The skill has extensive write capabilities (pauseKeyword, updateBid, createCampaign) and shell execution capabilities.
Sanitization: No sanitization or validation of the text content returned from the API is performed before processing.
[DATA_EXFILTRATION]: Access to sensitive local configuration and credential files.
The skill documentation (SKILL.md and evals/evals.json) describes a process for reading ~/.claude/settings.json, .adsagent.json, and ~/.adsagent/config.json to resolve API keys and account IDs.
While intended for configuration, accessing internal platform settings and home-directory config files constitutes sensitive data exposure.

ads