The Agent Skills Directory

[PROMPT_INJECTION]: The skill processes untrusted conversation history to generate 'learnings' that are saved to persistent project files like CLAUDE.md and KB files. This creates an indirect prompt injection surface where a malicious user or external tool output could inject instructions that the agent then 'learns' and follows in future sessions. \n- Ingestion points: Processes the entire conversation (Phase 1) which includes untrusted input.\n- Boundary markers: Lacks specific delimiters to isolate instructions within the conversation history.\n- Capability inventory: Capable of modifying agent guidelines (CLAUDE.md) and knowledge base files (Phase 4).\n- Sanitization: Instructions include a directive to ignore secrets but do not provide a mechanism to filter out malicious behavior-altering instructions.\n- Mitigation: Includes a mandatory human-in-the-loop approval step (Phase 3) where the user reviews all proposed updates before they are committed.\n- [NO_CODE]: This skill consists entirely of markdown instructions and does not contain any executable scripts or binaries, reducing the risk of direct malicious code execution.

kb-learn