The Agent Skills Directory

[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by processing untrusted data from a codebase to generate persistent instructions (skills).
Ingestion points: The skill scans manifest files (e.g., package.json), directory structures, and source code using Glob, Grep, and Read operations as defined in SKILL.md and references/pattern-extractor.md.
Boundary markers: The prompts generated for sub-agents in Step 2 do not include explicit boundary markers or instructions to disregard embedded commands in the source code.
Capability inventory: The skill uses the Agent tool to launch sub-processes and invokes an external /create-skill tool to write files to auto-load directories like .claude/skills/.
Sanitization: The skill employs a consistency scoring mechanism (dropping patterns with <30% frequency) and a mandatory user confirmation step (AskUserQuestion in Step 4) before any files are written, which serves as a mitigation but does not eliminate the risk of sophisticated, distributed injections.
[COMMAND_EXECUTION]: The skill dynamically constructs tasks for the Agent tool and triggers an external skill (/create-skill) based on the data extracted from the local repository. This chain of execution relies on the integrity of the codebase being analyzed.

create-project-skills