The Agent Skills Directory

[COMMAND_EXECUTION]: The state.sh utility script dynamically constructs jq filter paths using the $path variable within the state_read and state_write functions. Although the script includes a validation function (_validate_jq_path), the underlying regular expression allows characters such as the pipe (|) and spaces. This pattern could potentially enable filter injection or the execution of unauthorized logic within the jq process if an attacker-controlled string is passed to these utility functions.
[PROMPT_INJECTION]: The skill presents a significant attack surface for indirect prompt injection due to its design, which requires the agent to aggregate and interpret context from numerous external files that store cumulative user interaction history and historical state.
Ingestion points: The central reasoning loop defined in BRAIN.md instructions reads data from memory/inner-state.json, memory/drive.json, memory/habits.json, memory/relationship.json, memory/questions.md, tasks/QUEUE.md, and various daily session logs.
Boundary markers: The framework uses HTML-style comment tags (e.g., ) for internal messaging, but lacks robust delimiters to isolate untrusted or user-supplied content from system-critical instructions within those files.
Capability inventory: The skill is capable of executing shell scripts (init.sh, score.sh), manipulating the local file system using jq, and performing emotion-driven routing of agent behavior based on stored data.
Sanitization: Beyond a basic regex check for JSON paths in the state utility script, there is no evidence of content sanitization or escaping applied to the data retrieved from the memory files before it is processed by the agent's main context.

inner-life-core