The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because its core workflow involves fetching and processing data from external web sources, including community blogs and forums (T3 sources). Maliciously crafted documentation or registry entries could influence the agent to recommend insecure configurations or hooks.
Ingestion points: WebSearch and WebFetch results from official documentation and community sources (referenced in references/web-sources.md).
Boundary markers: The skill instructions do not specify explicit delimiters (like XML tags) for external content, though it uses a 'source tier' system to weigh information.
Capability inventory: The skill can read local files (~/.claude/, etc.), perform web searches, and generate proposed configuration diffs (SKILL.md).
Sanitization: Instructions require 'Source Tier Classification' (T1-T4) to validate claims against official documentation.
[DATA_EXFILTRATION]: The skill performs an audit by reading local configuration files from the user's home directory (e.g., ~/.codex/config.toml, ~/.claude/settings.json). While the instructions strictly forbid reading known credential or session files (e.g., auth.json, credentials.json), the act of fetching best practices based on the user's current configuration could leak metadata about the user's project environment or tool usage to external search engines and websites.
[EXTERNAL_DOWNLOADS]: The skill is designed to fetch documentation and best practices from various external domains.
Evidence: Multiple URLs in references/web-sources.md targeting official vendor sites (openai.com, google.dev, anthropic.com) and community blogs (claudefa.st, eesel.ai).
Note: References to official vendor domains and well-known repositories (GitHub) are considered safe and aligned with the skill's primary purpose.

hone