The Agent Skills Directory

[INDIRECT_PROMPT_INJECTION]: The skill processes free-form user input describing customer conversations, which constitutes an ingestion point for untrusted data. There are no explicit boundary markers or instructions used to distinguish between user narrative and system instructions. However, the skill's capabilities are limited to updating internal project state files (MEMORY.md, hypotheses.json), and no high-risk capabilities like network exfiltration or shell execution are present to be exploited.
[DATA_EXPOSURE_AND_EXFILTRATION]: The skill accesses project-specific files such as MEMORY.md and the memory/ directory to track hypotheses and demand signals. This is standard behavior for state-management skills and involves no exfiltration to external domains.

discovery-debrief