The Agent Skills Directory

[COMMAND_EXECUTION]: The skill executes arbitrary shell commands for testing, building, and linting that are dynamically extracted from project-controlled files like CLAUDE.md and package.json during the setup and verification phases.
[COMMAND_EXECUTION]: It dynamically searches for and loads other functional skill modules (e.g., debug-mode, tdd, roast-my-code) from the local filesystem (~/.claude/skills/) based on a constructed path pattern.
[EXTERNAL_DOWNLOADS]: During Phase 0, the skill is instructed to automatically install missing dependencies if guardrail commands fail, which could lead to the installation of untrusted or malicious packages if the project configuration is compromised.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted data from GitHub issues and source code which may contain malicious instructions designed to hijack the agent's workflow.
Ingestion points: Fetches GitHub issue content via gh issue view and reads local project files including source code and stack traces.
Boundary markers: The skill instructions do not mandate the use of delimiters or explicit warnings to the agent to ignore embedded instructions in the ingested data.
Capability inventory: The agent has the ability to execute shell commands, write to files, and manage git repositories, providing a high-impact surface for injected instructions.
Sanitization: There is no evidence of validation or sanitization of external content before it is processed by the agent's logic.

vs-fix