The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its core memory persistence mechanism. It ingests untrusted user input from previous sessions and re-incorporates it into the agent's reasoning context in later sessions.
Ingestion points: Conversation history is ingested via the conversation parameter in the extract_and_persist function in SKILL.md.
Boundary markers: The skill uses <prior_knowledge> and <recent_sessions> XML tags as delimiters in the build_memory_context function to separate retrieved memories from the current prompt.
Capability inventory: While the provided snippets do not show direct file system or shell access, the injected content directly influences the agent's internal state and decision-making logic.
Sanitization: There is no evidence of sanitization or filtering to prevent malicious instructions embedded in conversation history from being treated as authoritative when retrieved as a 'decision' or 'summary' in a future session.

memory-persistence