The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructs the agent to execute a shell command (uv run recall.py) using a query derived from user input. The command template uses double quotes ("<QUERY>") without providing instructions for shell escaping, making it vulnerable to shell breakout and command injection if a user provides input containing quotes or shell metacharacters.- [PROMPT_INJECTION]: The skill directly interpolates user arguments into its main instruction prompt via the $ARGUMENTS placeholder, creating a surface for direct prompt injection where an attacker could attempt to hijack the agent's logic.- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its knowledge retrieval mechanism:
Ingestion points: Output from the recall.py script is ingested into the agent context in Step 0 (SKILL.md).
Boundary markers: Absent. The skill does not use delimiters or instructions to isolate or treat external data as untrusted.
Capability inventory: The agent has capabilities to write local files (spec.md), execute shell commands (uv), and manage GitHub repositories (gh CLI).
Sanitization: Absent. There is no validation or sanitization of the content retrieved from the knowledge base before it is used to influence the agent's actions.- [DATA_EXFILTRATION]: The skill's integration with the GitHub CLI (gh repo create) provides a high-privilege path for data movement. If the agent is compromised via injection, this capability could be used to exfiltrate local files or secrets to an external repository.

brainstorm