The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The script scripts/evolve-soul.md contains a hardcoded PostgreSQL connection string that includes a plaintext password: postgresql://postgres:36795379@localhost:5432/agent_memory. This exposes the database credentials to anyone with access to the skill's source code.
[COMMAND_EXECUTION]: The skill generates and executes SQL commands by directly interpolating the {user} variable into query strings (e.g., in scripts/evolve-soul.md, scripts/evolve-recipes.md, and scripts/list-versions.md). This pattern is vulnerable to SQL injection, potentially allowing an attacker to manipulate database queries or bypass access controls if the user handle is not strictly validated and sanitized.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads untrusted session observations (facets) to drive the evolution of behavioral profiles and recipes.
Ingestion points: Data enters the context via the get_recent_facets and get_soul_state functions called in scripts/evolve-soul.md and scripts/evolve-recipes.md.
Boundary markers: Absent. The prompts in prompts/evolution-planning.md and prompts/recipe-evolution.md provide the untrusted data as raw context without using robust delimiters or instructions to the model to ignore embedded commands within the facets.
Capability inventory: The skill possesses powerful capabilities including writing to the filesystem to update soul profiles (../skill-system-soul/profiles/) and workflow recipes (../skill-system-workflow/recipes/), as well as executing arbitrary SQL commands via psql (scripts/evolve-soul.md).
Sanitization: Absent. There is no evidence of filtering, escaping, or validation of the insight facets before they are processed by the LLM to determine behavioral changes.

skill-system-evolution