The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill is designed to persist information across sessions, creating a vulnerability where malicious instructions embedded in data can be stored and later executed by the agent.
Ingestion points: Untrusted data enters the context through mcp__memory__create_entities and mcp__memory__add_observations, which process bug descriptions, session summaries, and 'discovered patterns' from the workspace.
Boundary markers: The skill lacks delimiters or instructions to treat recalled memories as data rather than instructions, meaning the agent may obey commands stored in its memory graph.
Capability inventory: The skill is granted Read, Write, and Edit permissions. This allows instructions recalled from memory to trigger filesystem modifications.
Sanitization: No sanitization, escaping, or validation of the content being stored in the knowledge graph is implemented.
Data Exposure (MEDIUM): The skill explicitly prioritizes storing sensitive information, such as 'Critical bug fixes' and 'Architectural decisions' (Score 10/10). While no active exfiltration was detected, the aggregation of this high-value data into a single queryable graph significantly increases the impact of any subsequent data exposure or exfiltration vulnerability.

memory-management