The Agent Skills Directory

[DATA_EXFILTRATION]: The skill instructions direct the agent to access sensitive log data located at ~/.claude/projects/*.jsonl. These files contain full conversation histories, tool traces, and metadata from previous sessions which may include accidentally disclosed secrets or PII. Accessing files outside the immediate project workspace constitutes a data exposure risk.
[COMMAND_EXECUTION]: The skill documentation encourages the installation of persistent execution mechanisms, including pre-commit and pre-push git hooks, and a "Nightly" cron job that runs shell commands like make control-audit-strict. These mechanisms can be used to execute arbitrary code repeatedly and automatically on the host system.
[PROMPT_INJECTION]: The architecture is designed to ingest external data sources—specifically raw session logs and generated conversation documents—into the agent's active context window. This creates a surface for indirect prompt injection, as malicious instructions embedded in processed data could override the agent's current task or safety guidelines. Evidence includes the ingestion points (found in SKILL.md and references/architecture.md as ~/.claude/projects/*.jsonl and .entire/logs/entire.log) and the use of processing scripts (scripts/conversation-history.py) without mentioned sanitization, boundary markers, or input validation.

agent-consciousness