The Agent Skills Directory

[COMMAND_EXECUTION]: Several utility scripts execute the git binary to discover project directories. These calls use hardcoded argument arrays (e.g., git rev-parse --git-common-dir) and do not invoke a shell, ensuring safe execution.
Evidence: Hardcoded git calls in memory_core/schema_validation.py and various scripts in the scripts/ directory.
[DATA_EXFILTRATION]: The skill performs HTTP operations to interface with a local 'Forgetful MCP' service. This communication is strictly limited to localhost:8020, preventing data transmission to external servers.
Evidence: Network logic in memory_core/memory_router.py and scripts/search_memory.py.
[PROMPT_INJECTION]: The system ingests external data from markdown and JSON files, creating a surface for indirect prompt injection. However, the implementation includes significant mitigations including strict query validation and path traversal guards.
Ingestion points: Memory files in .serena/memories/ and session episodes in .agents/memory/episodes/.
Boundary markers: Search results are structured as JSON data fields rather than being concatenated directly into prompts.
Capability inventory: Subprocess execution of git and local file reads/writes.
Sanitization: Restricted regex pattern for search queries (^[a-zA-Z0-9\s\-.,_()&:]+$) and validation that all file paths remain within the project root using .resolve() and .is_relative_to().

memory