The Agent Skills Directory

[DATA_EXFILTRATION]: The skill accesses highly sensitive local databases, specifically the iMessage database at ~/Library/Messages/chat.db, to extract private communication history. It also processes other sensitive personal files including WhatsApp exports and social media archives.
[DATA_EXFILTRATION]: The system explicitly scans for and aggregates personal identifiers (PII) such as SSNs, credit card numbers, and passwords using the scripts/ingest.py utility. This sensitive information is then stored in a centralized, searchable vector database (MemPalace).
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. It instructs the agent to ingest and summarize data from untrusted external files (e.g., chat exports, archives) to build its internal knowledge base (the Karpathy LLM Wiki). Malicious instructions embedded in these source files could manipulate the agent's behavior during the knowledge synthesis phase.
Ingestion points: Automated processing of external files via the scripts/ingest.py entry point.
Boundary markers: Absent; there are no instructions or delimiters in SKILL.md to prevent the agent from obeying commands found within source documents.
Capability inventory: The agent has permissions to Read and Write files and execute Bash commands, including the provided utility scripts.
Sanitization: Absent; content is processed verbatim after PII detection flags are raised.
[COMMAND_EXECUTION]: Employs dynamic module loading in scripts/ingest.py via importlib.import_module. The adapter module to be loaded is selected based on user-controlled CLI arguments, which could be leveraged for arbitrary code execution if an attacker can write files to the adapters/ directory.
[EXTERNAL_DOWNLOADS]: Requires the external mempalace library for its core data storage and semantic search architecture. Additionally, it may require pdfplumber or PyPDF2 for processing PDF documents.

persona-dataset