The Agent Skills Directory

[PROMPT_INJECTION]: Indirect Prompt Injection Surface and Reduced User Oversight.
Ingestion points: The skill ingests untrusted data from interaction trajectories, git logs, and diffs via references/trajectory-scanner.md.
Boundary markers: There are no explicit structural delimiters or boundary markers mandated for the external data ingested by the scanner, which could allow malicious content in logs to influence preference synthesis.
Capability inventory: The skill utilizes Write, Edit, and Bash tools to update memory files that persist across sessions and influence agent behavior.
Sanitization: The instructions require the agent to paraphrase and summarize inputs rather than quoting them directly, providing a basic level of filtering.
Oversight: SKILL.md and references/writeback-policy.md explicitly instruct the agent to perform "automatic writeback" and "do not ask the user" for routine preferences, reducing the opportunity for human verification of newly learned behaviors.
[DATA_EXFILTRATION]: Access to sensitive configuration and memory paths.
Evidence: The skill is designed to read from and write to ~/.codex/memories/, which may contain private user data.
Mitigation: The skill includes strong negative constraints in SKILL.md prohibiting the storage of credentials, raw private conversations, or local-only paths.
[COMMAND_EXECUTION]: Execution of shell commands for repository analysis.
Evidence: references/trajectory-scanner.md uses Bash to execute git diff and git log --stat to identify workflow changes.
Risk: These are standard operations for the skill's purpose, but the use of shell tools over untrusted repository state represents a standard security surface.

personalization-memory