The Agent Skills Directory

[COMMAND_EXECUTION]: The 'Score CLI' section and the 'Integration' section both use bash scripts that pipe data into python3 -c. These scripts use direct shell variable substitution (e.g., skill = '$1') into Python code. A maliciously crafted skill name containing a single quote and Python commands could execute arbitrary Python code within the agent's environment.
[DATA_EXFILTRATION]: The 'Crystallization Protocol' automatically performs git push origin based on composite scores. This operation pushes local repository tags and metadata to a remote server, which may leak internal developer notes or historical data stored in the repository without explicit human review.
[PROMPT_INJECTION]: The skill exhibits an Indirect Prompt Injection surface within its 'Auto-Repair Protocol'.
Ingestion points: The system reads the feedback field from ~/.claude/skill-scores.jsonl, which contains strings describing session outcomes likely derived from user input or external tool outputs.
Boundary markers: No delimiters or instructions are used to distinguish the feedback content from the instructions for the 'catalyst' agent.
Capability inventory: The system has capabilities for file writing, shell command execution via Python/Node, and Git operations.
Sanitization: The feedback content is read directly and summarized by the catalyst agent without sanitization. An attacker could embed malicious instructions in the feedback field to influence the 'catalyst' agent during the repair process.
[COMMAND_EXECUTION]: The skill executes a local Node.js script located at ~/.claude/hooks/dist/canavar-cli.mjs. While this appears to be part of a local ecosystem, it executes pre-compiled/transpiled code with the leaderboard command, which is a form of local script execution.

skill-evolution