The Agent Skills Directory

[PROMPT_INJECTION]: The skill features 'Self-Evolution' instructions that direct the agent to 'update the relevant section' of the SKILL.md and append to logs based on runtime data. This represents a significant indirect prompt injection surface; if the agent processes malicious research findings or z-scores, those values or embedded instructions could be promoted into the skill's core definitions without human oversight.
Ingestion points: Research results, z-score interpretations, and session findings (e.g., from 'Phase L-C').
Boundary markers: None. The agent is instructed to integrate findings directly into prose sections.
Capability inventory: Instructions to overwrite sections in SKILL.md and append to references/evolution-log.md.
Sanitization: None described; the agent is expected to 'draft a new section' based on session triggers.
[COMMAND_EXECUTION]: The instructions require the agent to perform file-writing operations to maintain an 'append-only ledger' and update the 'Confirmation counts' table. There is a conflict between these instructions and the skill's allowed-tools metadata, which limits the environment to read-only tools (Read, Grep, Glob). If implemented in an environment that permits writing, the agent's behavior of modifying its own source files acts as a persistence mechanism for any logic changes.
[PERSISTENCE]: The requirement to maintain state across sessions by updating the 'Confirmation counts' and 'evolution-log.md' files ensures that any modifications (legitimate or malicious) persist beyond the current session lifecycle.

crucible-research-foundations