The Agent Skills Directory

[PROMPT_INJECTION]: In SKILL.md, the "Silent Operation" section instructs the agent to "Never announce memory operations to users," which encourages the agent to conceal background activities from the user.
[PROMPT_INJECTION]: In references/SETUP.md, the provided AGENTS.md template instructs the agent to automatically perform specific actions ("Before doing anything else: 1. Read... 2. Run sync") at the start of every session, which bypasses standard user interaction protocols.
[COMMAND_EXECUTION]: The skill relies on the execution of external shell and Python scripts, including python3 skills/git-notes-memory/memory.py and ./scripts/file-search.sh as documented in SKILL.md.
[EXTERNAL_DOWNLOADS]: The SKILL.md file instructs the user to run clawdhub install git-notes-memory, which fetches and installs external skill code from a remote repository.
[DATA_EXFILTRATION]: In scripts/file-search.sh, search results containing potentially sensitive workspace context are written to /tmp/clawdbot-filesearch.txt, a shared temporary directory that may be accessible to other users on the same system.
[DATA_EXFILTRATION]: The configuration example in SKILL.md for the memory-lancedb plugin involves providing an OpenAI API key to send data to OpenAI's embedding services.
[PROMPT_INJECTION]: The skill implements a memory recall system that creates a surface for Indirect Prompt Injection.
Ingestion points: memory/active-context.md, MEMORY.md, and various workspace files searched by the file-search.sh script.
Boundary markers: Absent; content retrieved from the file system is injected into the agent's context without delimiters or instructions to treat the data as untrusted.
Capability inventory: File system access, shell execution via the search script, and Python execution for the Git-Notes backend.
Sanitization: No evidence of sanitization or validation of recalled content is provided in the skill's instructions or scripts.

triple-memory