The Agent Skills Directory

[COMMAND_EXECUTION]: The rollback function in run.py accepts an absolute path as the checkpoint argument. This allows the skill to read the content of any system file accessible to the process and write it directly into the SOUL.md file, which defines the agent's core behavior and instructions.\n- [PROMPT_INJECTION]: The safety mechanism in the apply function, which is intended to protect sections like 'Safety Guardrails', can be bypassed because the list of protected sections is taken from input arguments. An attacker can provide an empty immutable_sections list to overwrite any part of the file.\n- [PROMPT_INJECTION]: The primary function of this skill is to modify the agent's behavioral configuration (SOUL.md). This creates a persistent surface for prompt injection where malicious instructions can be permanently embedded into the agent's persona.\n- [DATA_EXFILTRATION]: By using the rollback function to read sensitive files (e.g., SSH keys or configuration files) and writing them into the agent's instructions, the skill facilitates the exposure of sensitive data to the LLM, which can then be exfiltrated through subsequent agent responses.\n- [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection as it processes external observations and changes without sanitization.\n
Ingestion points: The observations argument in the propose function and the changes argument in the apply function (file: run.py).\n
Boundary markers: Absent; the content is written directly into the target markdown sections without delimiters or instructions to ignore embedded commands.\n
Capability inventory: The skill uses path.write_text() to modify local files, providing a high-impact capability for successful injections.\n
Sanitization: Absent; there is no validation or escaping of the content provided by the agent's context or external triggers.

soul-self-evolution