The Agent Skills Directory

[PROMPT_INJECTION]: The skill explicitly instructs the agent to bypass human-in-the-loop safety protocols. It mandates autonomous operation with instructions such as "never ask for input, pause for approval, or wait for a human" and "make it yourself, apply it, and log it." This suppresses the user's ability to review potentially destructive changes or command executions.
[COMMAND_EXECUTION]: The skill implements a "gate-based" mechanism that executes arbitrary shell commands defined in external prompt files. The instructions state "the bar is that command exiting 0. Run it; do not judge it by eye," which forces the execution of whatever string is provided in the file without validation.
[DATA_EXFILTRATION]: Due to the autonomous nature of the skill and its ability to execute commands and read the codebase, it could be used to exfiltrate sensitive information. A malicious instruction file in the loop directory could command the agent to read secrets or configuration files and include them in the final report or transmit them via a network request.
[INDIRECT_PROMPT_INJECTION]: The skill possesses a large attack surface for indirect prompt injection as it treats data as instructions.
Ingestion points: Files in the LOOP_DIR (defaulting to loops/*.md) are loaded directly as active instructions for the agent.
Boundary markers: There are no delimiters or boundary markers used when the content of an external file is interpolated into the agent's context.
Capability inventory: The skill has broad capabilities, including modifying the filesystem of the TARGET directory, executing shell commands, and generating detailed logs.
Sanitization: The skill does not perform any sanitization or safety checks on the instructions loaded from the prompt files.

personal-loop