The Agent Skills Directory

[PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface because it ingests and processes untrusted historical conversation data to update the agent's core instructions. An attacker could potentially use specific chat history to influence the agent's future rules, although this is mitigated by mandatory human review of all proposals.
Ingestion points: scripts/scan-history.py (reads conversation JSONL files) and scripts/detect-signal.py (processes hook input).
Boundary markers: Absent in the analysis worker prompt within orchestrator.py.
Capability inventory: apply-proposal.py (writes to .md files in workspace) and orchestrator.py (executes platform CLI commands).
Sanitization: Employs regex pattern matching for initial signal detection, though the final synthesis of rules is performed by an LLM-based worker.
[COMMAND_EXECUTION]: Several scripts utilize the subprocess module to interface with system tools like git and the openclaw platform CLI.
Evidence: scripts/orchestrator.py invokes openclaw agent --local, scripts/apply-proposal.py uses various git commands, and scripts/workspace-init.py calls openclaw --version. All observed calls use list-based arguments without shell execution, minimizing command injection risk.

byted-ark-evolve