The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill implements a scan command that analyzes the project codebase using ace-tool to extract domain concepts and terminology.
Ingestion points: Project source code files, class names, and comments via the scan and discover commands in SKILL.md.
Boundary markers: None specified in the documentation to distinguish between code and potential malicious instructions embedded in comments.
Capability inventory: File system write access (creating .md files in docs/knowledge/), local command execution via bun for script logic, and generation of summary files (GLOSSARY.md, index.md).
Sanitization: No evidence of sanitization for code content before it is processed or interpolated into the knowledge base templates.
[Command Execution] (MEDIUM): The skill relies on the bun runtime to execute a local TypeScript entry point (lib.ts).
Evidence: Multiple commands in SKILL.md invoke bun ~/.pi/agent/skills/knowledge-base/lib.ts with various arguments including scan, init, and create.
Risk: If the lib.ts file or its dependencies (like ace-tool) are compromised or handle malicious input poorly, it allows for arbitrary code execution on the user's machine.
[Data Exposure] (LOW): The scan and discover functions process the entire project directory.
Evidence: The documentation specifies the knowledge base is stored in ./docs/knowledge/ relative to the project root and scans the codebase state.
Risk: While a primary feature, this behavior could inadvertently expose sensitive configuration files or hardcoded secrets if they are present in the codebase and indexed into the Markdown knowledge base.

knowledge-base