The Agent Skills Directory

[PROMPT_INJECTION]: The instructions explicitly direct the agent to bypass user permission and oversight, stating 'You do NOT need user permission to self-message' and encouraging the agent to start fresh agentic loops 'without waiting for user input'. This enables highly autonomous behavior (up to 200 consecutive turns) that could lead to the agent deviating from the user's intended constraints or security guidelines.- [DATA_EXFILTRATION]: The scripts/self-message.sh script writes conversation context and internal reasoning to the /tmp/claude-self-msg/ directory. On shared systems, files stored in /tmp may be readable by other users or processes, creating a risk that sensitive data being 're-framed' or summarized by the agent is exposed.- [COMMAND_EXECUTION]: The skill relies on a bash script to handle the self-messaging logic. It processes input arguments directly and persists them to the filesystem, representing a command execution surface that lacks input sanitization or validation of the agent-generated content.- [PROMPT_INJECTION]: An indirect prompt injection surface is created by the ingestion of untrusted or agent-modified data into future loops. Ingestion points: scripts/self-message.sh. Boundary markers: Absent in the storage mechanism. Capability inventory: File-writing via shell script and subsequent prompt re-injection by the system hook. Sanitization: Absent.

self-message