The Agent Skills Directory

[PROMPT_INJECTION]: The skill instructs the agent to read and act upon data from external sources, specifically logs and cache directories, which creates an attack surface for Indirect Prompt Injection.
Ingestion points: The agent is directed to read directory contents (ls) and log files (tail) from .claude/cache/ and ~/.claude/ (SKILL.md).
Boundary markers: No specific boundary markers or instructions to ignore embedded commands within the logs are provided.
Capability inventory: The agent possesses capabilities to list directories, read files, run arbitrary failing commands, and edit code (SKILL.md).
Sanitization: There is no evidence of sanitization or validation of the content read from logs or the directory structure before the agent processes it.

observe-before-editing