The Agent Skills Directory

[PROMPT_INJECTION]: Indirect Prompt Injection Surface. The skill implements a multi-stage auditing process where the output of an 'Explorer' agent (summarizing untrusted repository code) is directly interpolated into the prompts of four specialized 'Scanner' agents in Phase 2. Maliciously crafted strings or comments within a target Solana smart contract could attempt to influence the reasoning or report generation of these sub-agents when the orchestrator passes the code context to them.
Ingestion Points: SKILL.md (Phase 1 Explorer output and Phase 2 Syntactic scan results).
Boundary Markers: Descriptive headers are used in prompt templates (e.g., [INSERT EXPLORER OUTPUT HERE]), but data is inserted via literal string replacement.
Capability Inventory: The orchestrator and sub-agents have Read access to the repository, and the orchestrator has Write access to the plugin data directory for logging and configuration.
Sanitization: The skill does not explicitly sanitize or escape the findings of the exploration phase before injecting them into subsequent agent prompts.
[SAFE]: Restricted Command Execution. The skill utilizes the Bash tool to perform high-speed syntactic scanning (grep) of the target codebase. Security is maintained by explicitly restricting the Bash tool to only grep and wc commands within the allowed-tools configuration, preventing arbitrary command execution.
[SAFE]: State Management and Persistence. The skill correctly uses the ${CLAUDE_PLUGIN_DATA} environment variable to store audit configurations and historical logs. This allows for persistent features like checking for prior audits and tracking accepted risks without exposing sensitive system directories.

solana-audit