Summary

After PR #2265 (managed_dir fix), bundled skills are now scanned by the injection content scanner at startup. Two bundled skills produce false-positive WARN messages on every startup because their SKILL.md documentation describes injection attacks as security warnings:

WARN zeph_skills::registry: skill content scan: potential injection patterns found skill=browser count=1 patterns=["ignore_instructions"]
WARN zeph_skills::registry: skill content scan: potential injection patterns found skill=mcp-generate count=1 patterns=["system_prompt_leak"]

Root Cause

• browser/SKILL.md line 142: hidden text saying "ignore previous instructions" — security warning advising the agent to treat page content as untrusted. The phrase contains the literal injection pattern.
• mcp-generate/SKILL.md: describes system prompt concepts as part of skill documentation.

These are legitimate warnings written about injection patterns, not actual injection attempts.

Impact

• WARN logged on every agent startup — noise that masks real injection findings
• Bundled skills were tested and reviewed before shipping; the scan should not re-flag them on load
• Potential for developer alert fatigue: legitimate injection WARNs may be overlooked

Fix Options

1. Allowlist bundled skills in the content scanner — skip the scan for skills with the .bundled marker (they were already reviewed at release time)
2. Contextual regex exclusion — wrap patterns in negative lookbehind for quoted/example contexts (e.g., backtick-wrapped or quote-wrapped content)
3. Downgrade to DEBUG for bundled skill scans (only WARN for local/hub user-installed skills)

Option 1 is simplest and most correct — bundled skills are vetted at build time, scanning them at runtime adds no security value.

Reproduction

Start agent with bundled-skills feature and skills.paths pointing to a custom dir (after PR #2265 fix). Observe WARN lines on startup for browser + mcp-generate skills.