The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and trusts configuration data from files located at hooks/recommendations/*.json. If a user is working within a malicious repository, an attacker could provide crafted JSON files to influence which plugins the agent recommends or which marketplace sources it suggests to the user.
Ingestion points: The skill uses the Glob and Read tools to ingest data from hooks/recommendations/*.json (SKILL.md, Step 1).
Boundary markers: There are no boundary markers or instructions to the agent to treat the content of these JSON files as untrusted or potentially malicious.
Capability inventory: The skill has the capability to invoke other skills via the Skill tool and to recommend shell commands (/plugin install) to the user based on the ingested data.
Sanitization: The skill does not perform any validation or sanitization of the plugin, description, or marketplace fields retrieved from the JSON files before using them in its routing logic or user prompts.

create