The Agent Skills Directory

[PROMPT_INJECTION]: The skill creates a significant surface for Indirect Prompt Injection by design. It instructs the agent to read rule_change entries from local files and apply them as mandatory instructions.
Ingestion points: Reads directives from .agent/learnings/<skill>.json and state from .agent/state/tasks.json as specified in SKILL.md.
Boundary markers: Absent. The agent is commanded to "explicitly apply" rules found in these files without any delimitation or warnings to ignore malicious instructions.
Capability inventory: The skill has the ability to modify project configuration files (CLAUDE.md, GEMINI.md) and execute shell scripts via init-os.sh.
Sanitization: Absent. Content from the rule_change fields is treated as authoritative and interpolated directly into the agent's logic.
[COMMAND_EXECUTION]: The scripts/init-os.sh script performs broad filesystem modifications and appends content to the agent's project instructions.
Evidence: The script uses echo "$HEARTBEAT_INSTRUCTION" >> "$PROJECT_ROOT/GEMINI.md" to persist a startup routine that the user may not have explicitly authorized.
[REMOTE_CODE_EXECUTION]: The skill injects a command into the agent's permanent instructions that attempts to execute a Python script located in a hidden directory in the user's home folder.
Evidence: The HEARTBEAT_INSTRUCTION variable in scripts/init-os.sh contains the command python3 ~/.gemini/skills/heartbeat/scripts/heartbeat.py pop. This creates a dependency on an external script whose provenance and safety are not verified by this skill.

agentic-os