The Agent Skills Directory

[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface due to its core functionality of ingesting untrusted external data to generate an AI persona. Evidence found in 'SKILL.md' and the 'prompts/' directory indicates that the agent reads chat logs (WeChat, QQ) and social media content using the 'Read' tool and custom Python parsers ('tools/wechat_parser.py', etc.). This ingestion lacks explicit 'ignore embedded instructions' warnings or boundary markers to isolate the untrusted data from the system prompts. Furthermore, the capability inventory for the agent includes high-privilege tools such as 'Bash', 'Write', and 'Edit'. The Python parsers provide structural extraction via regex but do not perform sanitization of the natural language content for malicious instructions, creating a risk where instructions embedded in chat history could influence the agent's behavior during persona generation.
[COMMAND_EXECUTION]: The skill performs dynamic generation of executable configuration files and executes local shell commands. It manages the creation of new 'SKILL.md' files for individual personas in the 'parents/{slug}/' directory, which is a form of dynamic script generation from templates. Management commands like '/delete-parents' utilize the 'Bash' tool to execute 'rm -rf' on paths constructed from user-influenced 'slug' strings. If the agent does not strictly validate the 'slug' input, this could potentially lead to path traversal or unintended file deletion. The skill also relies on executing various local Python scripts via the 'Bash' tool to perform data processing and version management.

create-parents