The Agent Skills Directory

[PROMPT_INJECTION]: The skill's architecture is vulnerable to indirect prompt injection because it ingests untrusted data from multiple external sources (WhatsApp, Telegram, Twitter, Obsidian, etc.) and then instructs the agent to read and process this data to build or update a knowledge wiki.
Ingestion points: External data enters the system through scripts/ingest.py which supports numerous file formats.
Boundary markers: The skill lacks explicit delimiters or specific 'ignore embedded instructions' warnings when the agent processes ingested data to update wiki pages.
Capability inventory: The skill can write to the file system (updating wiki pages) and execute bash commands, creating a pathway for injected instructions to perform unauthorized actions.
Sanitization: Although the skill includes a PII scanner, it does not sanitize content for prompt injection patterns.
[DATA_EXFILTRATION]: The skill accesses highly sensitive local data sources.
Evidence: adapters/chat_export.py contains a dedicated parser for the macOS iMessage database located at ~/Library/Messages/chat.db.
Context: While this access is a documented feature for importing chat history, it represents a significant data exposure risk as it handles private communication data.
[REMOTE_CODE_EXECUTION]: The ingestion script uses dynamic module loading which can be a risky pattern.
Evidence: scripts/ingest.py uses importlib.import_module within the _load_adapter function to load submodules from the adapters package based on the detected or specified adapter name.
Context: Dynamic loading based on user-supplied or file-derived input can lead to arbitrary code execution if the input is not strictly validated against a hardcoded whitelist.

persona-knowledge