The Agent Skills Directory

[PROMPT_INJECTION] (MEDIUM): Indirect Prompt Injection via Session Poisoning.\n
Ingestion points: phases/01-compact.md extracts content (Execution Plan, Decisions, Notes) directly from conversation history.\n
Boundary markers: Uses Markdown headers and <details> tags, which are insufficient to prevent an LLM from interpreting data as instructions.\n
Capability inventory: Utilizes mcp__ccw-tools__core_memory for persistent storage and Read(*) for filesystem access, creating a mechanism where persisted malicious instructions influence future agent behavior.\n
Sanitization: None. Instructions explicitly mandate that the agent 'preserve COMPLETE plan verbatim' and 'never abbreviate', ensuring malicious payloads remain intact.\n- [DATA_EXFILTRATION] (MEDIUM): Exposure of sensitive environment metadata. The skill collects absolute file system paths (projectRoot), list of modified files, and organizational decisions, aggregating sensitive environment information in core_memory.\n- [COMMAND_EXECUTION] (LOW): Tool Permission Mismatch. The execution phases attempt to use mcp__ccw-tools__session_manager, which is not declared in the allowed-tools section of SKILL.md, indicating a potential bypass of intended tool access constraints.

memory-capture