The Agent Skills Directory

[PROMPT_INJECTION]: Indirect Prompt Injection Surface. The core function of the skill is to ingest data from external files and translate it into new system instructions (rules) for other skills, which creates a vector for persistent behavioral modification. * Ingestion points: Processes patch files from .ai-factory/patches/*.md (determined by paths.patches in config). * Boundary markers: Absent. The instructions do not specify the use of delimiters, escaping, or 'ignore instructions' warnings when extracting and reapplying 'prevention points' from the patch content. * Capability inventory: The skill possesses the Write and Edit capabilities to modify skill instruction files (SKILL.md) and uses Bash(git *). * Sanitization: Absent. The skill is instructed to preserve concrete formats and patterns from patches verbatim, meaning malicious instructions disguised as 'prevention points' could be incorporated into rules.
[COMMAND_EXECUTION]: Potential path traversal in skill resolution logic. The normalization process for the target skill name (from $ARGUMENTS) only strips leading slashes and does not sanitize for directory traversal sequences (e.g., '..'). This resolved name is used to construct file paths for the Read tool, which could potentially be used to access files outside the intended directory if the underlying tool lacks sufficient sandboxing.

aif-evolve