The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it is designed to ingest and process conversation history—which can contain attacker-controlled input—and convert those "signals" into persistent instructions in other SKILL.md files.
Ingestion points: The skill scans the entire current conversation for feedback signals (corrections, successes, edge cases).
Boundary markers: The skill uses four quality criteria (Complete, Precise, Atomic, Stable) to filter signals and requires explicit user approval ("Apply these changes? [Y/n]") before updating files.
Capability inventory: The skill has the ability to read and write to the filesystem, specifically targeting SKILL.md, CHANGELOG.md, and OBSERVATIONS.md files within the skills/ directory.
Sanitization: The skill asks for user clarification when signals are ambiguous, but it does not employ specific escaping or sanitization of the injected text beyond the quality checks.
[COMMAND_EXECUTION]: The skill uses basic shell commands for state management.
Evidence: It executes rm -f ./.disabled to enable automatic mode and touch ./.disabled to disable it.
Hook Mechanism: The skill includes a bash script scripts/self-improve-hook.sh intended to be added to the platform's "stop" hook. This script executes at the end of sessions to trigger the self-improvement logic. While this introduces an auto-execution surface, the script itself is local and its current function is limited to outputting a system message for the agent.

skill-optimizer-lawvable