The Agent Skills Directory

[PROMPT_INJECTION]: Indirect Prompt Injection Surface. The skill requires the agent to include verbatim and unaltered quotes of user messages in the 'High-Value User Input' section. This creates a vector for indirect prompt injection where an attacker can supply malicious instructions in a chat that are then persisted into the context summary and executed when the agent restores context in a future session.
Ingestion points: SKILL.md (Instructions for sections 4 and 6, processing recent messages and verbatim user quotes).
Boundary markers: Absent. The provided output example does not use delimiters to wrap the untrusted user content.
Capability inventory: The summary is explicitly used to guide future agent actions (defining 'Next Steps' and 'Skills Needed').
Sanitization: Absent. The skill explicitly forbids sanitization, stating quotes 'must be complete and unaltered; do not paraphrase'.
[DATA_EXFILTRATION]: Information Exposure. The instructions require the agent to generate a thorough inventory of the project's file system, including full file paths and their purposes. This sensitive metadata is then passed to the compact_chat_history tool, exposing the internal directory structure.
[PROMPT_INJECTION]: The rule requiring the summary to be 'at least 10,000 characters' is suspicious and contradictory to the stated goal of 'compacting' history. Such a large minimum length could be used to hide malicious instructions within a 'wall of text' or cause resource exhaustion/increased token costs.

compact-chat-history