The Agent Skills Directory

[PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection (Category 8). Ingestion points: The entire untrusted conversation history is used to determine documentation updates. Boundary markers: None present; there are no delimiters or warnings to ignore embedded instructions in the conversation data. Capability inventory: The agent possesses file-write capabilities targeting local and global paths like AGENTS.md and settings.json. Sanitization: None; the skill lacks any mechanism to filter or escape malicious instructions before they are written to persistent storage. An attacker could manipulate the conversation to ensure the agent saves malicious rules that will be followed in future sessions.
[COMMAND_EXECUTION]: The skill performs file system modifications on sensitive global paths, including ~/.claude/AGENTS.md and ~/.config/opencode/opencode.json. This functions as a persistence mechanism (Category 6), enabling permanent changes to agent behavior that persist across different user sessions and project contexts.
[DATA_EXFILTRATION]: The skill presents a risk of sensitive data exposure (Category 2). By instructing the agent to 'reflect on mistakes' and 'document constraints' from the conversation, it may inadvertently lead the agent to save private credentials, secrets, or internal data into plain-text markdown files stored on the disk.

documentation-updates