The Agent Skills Directory

[COMMAND_EXECUTION]: The /stacksmith-ops learn search command is vulnerable to shell command injection. The skill interpolates the user-provided <query> directly into a grep command (grep -i "$_QUERY" ...) without any sanitization or escaping. This allows a user to execute arbitrary commands by including shell metacharacters such as semicolons, pipes, or backticks in their search terms.
[COMMAND_EXECUTION]: In 'health' mode, the skill is instructed to parse and execute shell commands exactly as they appear in the CLAUDE.md file. This creates a direct path for arbitrary command execution based on untrusted project content. If an attacker can modify the repository's documentation (e.g., through a Pull Request), they can trigger malicious code execution when the health audit is run.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data from a local file and uses it to drive agent actions without validation.
Ingestion points: The CLAUDE.md file, specifically the ## Health Stack section, is used as a source for shell commands.
Boundary markers: Absent; the skill lacks delimiters or instructions to ignore malicious embedded commands in the file content.
Capability inventory: The skill uses the Bash tool to execute the strings it reads from the project file.
Sanitization: Absent; the skill does not perform any validation, filtering, or escaping of the commands before they are executed.

stacksmith-ops