The Agent Skills Directory

[COMMAND_EXECUTION]: Installation of persistent background services.
Evidence: The skill generates and loads a launchd plist on macOS (com.user.claude.loop.$loop_id) to periodically execute a waker script (waker.sh) in the background.
[COMMAND_EXECUTION]: Global configuration hooking.
Evidence: The skill modifies ~/.claude/settings.json to install PostToolUse, SessionStart, and PreToolUse hooks. These hooks trigger the execution of various scripts (heartbeat-tick.sh, session-bind.sh, pacing-veto.sh) on every tool invocation and session start, effectively hijacking the agent's lifecycle.
[COMMAND_EXECUTION]: Bypassing platform security controls.
Evidence: The script executes strip_plugin_quarantine_xattrs which uses xattr -d com.apple.quarantine on its own plugin directory. This is an explicit attempt to bypass macOS security protections for downloaded files.
[PROMPT_INJECTION]: High-risk indirect prompt injection surface.
Evidence: The skill implements a "self-revising autonomous loop" based on a LOOP_CONTRACT.md file. The agent is instructed to "Follow its instructions verbatim" and that the "file self-updates." This design allows for instructions injected into the contract (either via external processes or the agent's own self-revision during a compromised session) to be executed with high authority in subsequent iterations without human review.
Ingestion points: LOOP_CONTRACT.md (read at the start of every loop firing).
Boundary markers: Absent; instructions are followed verbatim.
Capability inventory: The agent has access to Bash, Read, Write, and Skill (specifically Skill(loop)), allowing it to perform arbitrary file and system operations based on the contract content.
Sanitization: Absent; the system is designed to trust the contract's evolving content.

start