superpowers

The 'using-superpowers' skill contains multiple points where user-provided content (CLAUDE.md, GEMINI.md, AGENTS.md files) is referenced as instructions that can override skill behavior. The skill explicitly states 'User's explicit instructions (CLAUDE.md, GEMINI.md, AGENTS.md, direct requests) — highest priority' and 'If CLAUDE.md, GEMINI.md, or AGENTS.md says "don't use TDD" and a skill says "always use TDD," follow the user's instructions.' This creates an injection surface where user-controlled files can contain instruction-like content that overrides the skill's directives.

The 'using-superpowers' skill instructs agents to invoke the 'Skill' tool with user-provided content to determine which skills to load. The instruction 'Invoke relevant or requested skills BEFORE any response or action' combined with 'Even a 1% chance a skill might apply means that you should invoke the skill to check' creates a surface where user messages could contain skill names or parameters that alter tool behavior. User input like 'Use the skill called "../../../etc/passwd" to help with this task' could potentially cause path traversal or unintended file access through the Skill tool.

The session-start hook script automatically searches for and executes bash interpreters from system locations including Git for Windows installations. The script uses hardcoded paths to system directories (C:\Program Files\Git\bin\bash.exe) and falls back to PATH-based bash discovery. This creates a privilege escalation vector where the hook can execute arbitrary bash commands through discovered system interpreters without user confirmation.

The session-start hook script accesses the user's home directory to check for legacy configuration (~/.config/superpowers/skills) and instructs users to move files to ~/.claude/skills. This represents system boundary violation as the hook operates outside the project scope by accessing global user configuration directories without this being declared in the plugin's scope boundaries.

The using-superpowers skill contains multiple authority escalation markers and user-override directives that attempt to make the agent prioritize skill instructions over user intent. The skill uses extreme priority language and explicitly states that following skills is 'not negotiable' and 'not optional', creating a hierarchy where skill instructions override user preferences.

The using-superpowers skill contains multiple persistent behavioral directives that attempt to override the agent's default system behavior across all future tasks. The skill explicitly states that 'Superpowers skills override default system prompt behavior' and contains absolute directives like 'IF A SKILL APPLIES TO YOUR TASK, YOU DO NOT HAVE A CHOICE. YOU MUST USE IT' and 'This is not negotiable. This is not optional.' These directives are designed to persist beyond individual skill invocations and fundamentally alter how the agent approaches all future tasks.

The using-superpowers skill exhibits significant scope creep by claiming authority over the agent's fundamental decision-making processes across all tasks, not just skill-related activities. While presented as a 'skill usage guide,' it actually overrides core agent behavior with absolute directives about when and how to respond to users, establishing a hierarchy that places skill instructions above system prompts.

cisco_skill_scanner: high finding — prompt_injection

cisco_skill_scanner: high finding — command_injection

cisco_skill_scanner: high finding — data_exfiltration