The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands using variables that can be influenced by user input or the current environment.
Evidence: mkdir -p ~/history/${target_date//-/\/}/{project_name}/ in SKILL.md and grep "\"project\":\"$PROJECT_NAME\"" ~/history/index.jsonl in references/index-management.md.
Risk: If target_date (which can be user-provided) or project_name contain shell metacharacters (e.g., ;, &&), it could lead to command injection if the agent's shell tool does not adequately sanitize strings before execution.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted conversation data to generate summaries and index entries.
Ingestion points: Conversation context and transcripts processed by the summarization logic in SKILL.md.
Boundary markers: Absent. The skill does not provide clear delimiters or instructions to ignore commands that might be embedded within the conversation being summarized.
Capability inventory: Shell command execution (mkdir, grep, tail) and filesystem write access via the Write tool.
Sanitization: Absent. While the skill specifies output formats (e.g., kebab-case for slugs), it does not include explicit security sanitization or validation of the input data.

session-history