The Agent Skills Directory

[COMMAND_EXECUTION]: The skill performs permanent modifications to the agent's own instruction set and skill repository (the 'corpus') using Write and Edit tools. This capability allows for persistent changes to agent behavior based on externally generated patches.
[COMMAND_EXECUTION]: Executes a local Python script 'provenance.py' using Bash, where the script's location is resolved at runtime through a search chain of relative and environment-defined directories (.aris/tools/, tools/, $ARIS_REPO/tools/). This dynamic path resolution can be a vector for executing unintended code if the environment is misconfigured.
[PROMPT_INJECTION]: The skill processes untrusted data in the form of code patches (.diff files) which could contain malicious instructions designed to subvert the agent's behavior once applied.
Ingestion points: Patch files and manifests read from the '.aris/meta/pending/' directory.
Boundary markers: Employs a 'fresh thread' and 'paths-only' context for the reviewer model (Jury) to mitigate context leakage and prevent the reviewer from being influenced by the producer's logic.
Capability inventory: Utilizes Write and Edit tools for corpus mutation and Bash for executing provenance stamping scripts.
Sanitization: Implements a multi-layered verification process including a cross-model AI jury and mandatory human approval for every patch before it is landed.

meta-apply