The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill ingests untrusted data from external messaging platforms that could contain malicious instructions.
Ingestion points: Chat history from external platforms (Discord, Slack, Telegram, Signal) fetched via message:read (SKILL.md, Step 2).
Boundary markers: Absent. The skill parses and summarizes content without using delimiters to isolate untrusted data.
Capability inventory: Includes the ability to append to local memory files (cat >>), execute terminal commands (jq, grep), and influence the agent's future behavior through synthesized summaries.
Sanitization: Absent. Malicious instructions embedded in chat history could be synthesized into the "Recovered Context" and permanently saved to the agent's memory in Step 6.
[Data Exposure] (HIGH): The skill accesses sensitive local file paths containing agent interaction history and long-term memory.
Evidence: Accesses ~/.clawdbot-*/agents/*/sessions/*.jsonl and ~/clawd-*/memory/ (SKILL.md, Steps 3 and 4).
[Command Execution] (MEDIUM): Executes shell commands and processes local files using pipe-based logic.
Evidence: Uses jq, grep, ls, and xargs to process session and memory data. While using standard utilities, these operate on potentially sensitive directories (SKILL.md, Steps 3 and 4).
[Dynamic Execution] (MEDIUM): Dynamically generates and appends content to local markdown files based on processed external data.
Evidence: Uses a heredoc to append recovered context to a daily memory file (~/clawd-*/memory/$(date +%Y-%m-%d).md), which may include unsanitized external content (SKILL.md, Step 6).

context-recovery