The Agent Skills Directory

[DATA_EXFILTRATION]: Path Traversal Vulnerability in the get action.
In run.py, the get function constructs a file path by joining the memory directory with a user-provided file argument using the / operator: filepath = _MEMORY_DIR / filename.
Because the code does not validate the input or resolve the path to ensure it stays within the intended directory, an attacker can provide an absolute path (e.g., /etc/passwd) or relative path sequences (e.g., ../../.ssh/id_rsa) to read arbitrary files from the system.
[COMMAND_EXECUTION]: Command Argument Injection in the search action.
The search function in run.py uses subprocess.run to execute the system's grep utility.
The user-supplied query is passed directly as a command-line argument. While this does not allow for full shell injection because shell=True is not used, it does allow for argument injection. An attacker could provide a query starting with hyphens (e.g., --help or other grep flags) to manipulate the behavior of the search or bypass restrictions.
[PROMPT_INJECTION]: Indirect Prompt Injection Attack Surface.
The skill is designed to search and read Markdown files from a local directory, which could contain malicious instructions embedded by an attacker or a third party.
Ingestion points: Files read and displayed via the search and get handlers in run.py.
Boundary markers: None. Content is extracted and returned to the agent context as a raw string without delimiters or instructions for the agent to ignore embedded commands.
Capability inventory: The skill has read access to the filesystem and performs subprocess execution for searching.
Sanitization: None. Content is read using read_text and returned with only length-based truncation.

memory-search