The Agent Skills Directory

[COMMAND_EXECUTION]: Path traversal vulnerability in persona management scripts. The scripts scripts/cli/persona_cli.py and scripts/shared/persona_paths.py use user-provided persona names and paths to construct filesystem operations without sanitization. An attacker could use relative path components (e.g., ../) to manipulate files outside the intended store. Specifically, the delete command uses shutil.rmtree on resolved paths, allowing for the deletion of arbitrary directories on the host.
[DATA_EXFILTRATION]: Unauthorized file exposure via path traversal. The resolve_persona function in scripts/shared/persona_paths.py allows resolving any path on the disk. When used with the use or switch subcommands, the agent may read and output the contents of any JSON file on the system, potentially exposing sensitive configuration or data.
[PROMPT_INJECTION]: Instructions in scripts/runtime/render_roleplay_prompt.py override the agent's default identity. The agent is explicitly instructed to remain in character persistently and to only disclose that it is a simulation if directly questioned, reducing transparency and potentially misleading users.
[INDIRECT_PROMPT_INJECTION]: The /persona distill workflow creates a significant surface for indirect prompt injection. The agent is instructed to read all files in a user-provided directory to extract persona traits. Without boundary markers or sanitization, malicious instructions embedded in the source documents could hijack the distillation process or influence the agent's behavior when the persona is active.

persona