The Agent Skills Directory

[COMMAND_EXECUTION]: The skill is vulnerable to code injection in its routing configuration logic.
Evidence: In scripts/main.cjs, the function updateRoutingTableAgents takes the skill argument and injects it directly into a .cjs file using a template literal: const entry = ' \'${name}\': \'${skill}\',';.
Impact: An attacker providing a malicious skill name (e.g., containing ' ; followed by arbitrary JS code; //) can inject code into routing-table-intent-agents.cjs. This code would execute whenever the platform requires that configuration file for routing decisions.
[PROMPT_INJECTION]: The skill has an indirect prompt injection surface due to insufficient sanitization of user-provided content.
Ingestion points: The skill accepts args.description and args.skill from user input in SKILL.md and scripts/main.cjs.
Boundary markers: The skill follows a best practice by including disable-model-invocation: true in the generated command files, which helps prevent the agent from accidentally executing the instructions within the command file as its own.
Capability inventory: The skill possesses the capability to write files to the .claude/commands/ directory and modify internal configuration files in .claude/lib/routing/ and .claude/context/.
Sanitization: While the command name is sanitized for character safety, the skill and description strings are written directly into markdown and JavaScript files without escaping quotes or filtering for malicious instructions, potentially influencing future agent interactions when these artifacts are read.

command-creator