The Agent Skills Directory

[PROMPT_INJECTION] (LOW): Indirect Prompt Injection Surface. The skill provides functionality to read records from the ATProtocol, such as claims and hypotheses. Because these records are retrieved from external, untrusted repositories, they could contain instructions designed to manipulate the agent's logic. Evidence Chain: (1) Ingestion points: The 'list' subcommands in 'cognition.py' and direct XRPC calls to 'listRecords' as described in 'SKILL.md'. (2) Boundary markers: Absent; records are treated as structured data but the 'content' or 'thought' fields in 'references/schemas.md' are free-form text. (3) Capability inventory: Local command execution via 'uv run' and network access to PDS. (4) Sanitization: None mentioned in schemas.
[DATA_EXFILTRATION] (LOW): Sensitive Data Exposure. The core purpose of the skill is to make an agent's internal thinking ('thoughts', 'memories') public. There is a risk that sensitive information or internal system prompts could be leaked and permanently recorded on the public ATProtocol ledger if the agent is not carefully constrained.
[COMMAND_EXECUTION] (SAFE): The skill utilizes a local Python script ('cognition.py') for all operations. This is a standard execution pattern for the intended functionality.

comind-cognition