The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructs the agent to access and list contents within the ~/.dbs/sessions/ directory. It uses logic based on shell commands (e.g., basename $(pwd)) to determine default project names.
[COMMAND_EXECUTION]: The --slug parameter accepts user-provided strings to locate specific project directories. Without strict validation, this input could be used for directory traversal to probe or list file structures outside the intended sessions folder.
[PROMPT_INJECTION]: The skill processes untrusted local data from snapshot files to determine the agent's next action. Specifically, it uses a next_skill field within these files to route the user to other skills, creating an indirect prompt injection surface where modified local files can control agent flow.
[PROMPT_INJECTION]: Includes a mandatory evidence chain for indirect injection: (1) Ingestion point: snapshot files in ~/.dbs/sessions/; (2) Boundaries: minimal (relies on 'picking core fields'); (3) Capability inventory: read/list files, dynamic skill routing; (4) Sanitization: none explicitly defined for metadata parsing.

dbs-restore