The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8).
Ingestion points: The scripts/extract-facets.md procedure loads full session transcripts via the session_read capability for analysis.
Boundary markers: No delimiters or instructions to ignore embedded commands are present in the prompts/facet-extraction.md prompt to separate transcript data from instructions.
Capability inventory: The skill has the ability to write to the database (insert_insight_facet, upsert_soul_state) and the file system (fs.write in scripts/synthesize-profile.md).
Sanitization: There is no evidence of sanitization, escaping, or validation of the transcript content before it is processed by the LLM.
[COMMAND_EXECUTION]: The synthesize-profile operation contains a potential path traversal vulnerability. It writes profile files to paths constructed using the user identifier (../skill-system-soul/profiles/<user>.md). If the {user} variable is not strictly validated, an attacker could potentially overwrite or create files in unauthorized directories.
[DATA_EXFILTRATION]: The skill facilitates sensitive data exposure by requiring access to all historical user interaction transcripts and session metadata. While used for the legitimate purpose of creating a behavioral 'soul state', this broad access increases the risk of sensitive information being misused if the agent's logic is compromised via indirect injection.

skill-system-insight