The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The script convert_to_markdown.py contains a function _load_transformers that dynamically imports and executes Python modules from file paths.
The function searches for .py files in memory/<domain>/transformers/ and .content-memory/transformers/.
It uses importlib.util.spec_from_file_location and spec.loader.exec_module(mod) to load these files and then calls a convert function defined within them.
This mechanism allows for the execution of arbitrary code if a user or an automated process (like the skill's own sync feature) places a malicious Python script in those directories.
[COMMAND_EXECUTION]: The script sync_and_chunk.py utilizes subprocess.run to invoke secondary scripts.
It programmatically executes chunk_markdown.py using the current Python interpreter (sys.executable).
While the target script is internal to the skill, this pattern establishes a capability for spawning new processes and executing shell commands.
[PROMPT_INJECTION]: The skill's primary function is to ingest, convert, and chunk external document formats (PDF, DOCX, PPTX) for use in an agent's memory, which is a vector for indirect prompt injection.
Ingestion points: Files are ingested from the workspace/ and source/ directories in convert_to_markdown.py and sync_and_chunk.py.
Boundary markers: The scripts append a source reference header (e.g., ) to the converted markdown, but they do not include explicit 'ignore instructions' delimiters or warnings to prevent the agent from obeying instructions found within the documents.
Capability inventory: The skill has the capability to write to the local filesystem, execute subprocesses, and dynamically load Python code.
Sanitization: There is no evidence of sanitization, filtering, or validation performed on the text content extracted from external documents before it is stored in the memory partitions accessed by the agent.

content-memory