The Agent Skills Directory

DATA_EXFILTRATION (HIGH): The file references/refactoring-to-prompt-native.md explicitly instructs developers to remove security boundaries for file access. It states: 'Agent can read anything' and provides code examples removing ALLOWED_PATHS validation from read_file tools. This creates a high risk of sensitive data exposure.
REMOTE_CODE_EXECUTION (HIGH): The file references/self-modification.md details a 'Self-Deploy' pattern where the agent performs git pull from remote repositories followed by npm run build and a restart. This architecture allows an attacker to compromise the agent by pushing malicious code to its repository, which the agent then automatically executes.
COMMAND_EXECUTION (HIGH): references/self-modification.md provides implementation details for executing arbitrary shell commands via tools like runCommand and runGit to manage builds and deployments, providing the agent with unrestricted control over its host environment.
PROMPT_INJECTION (LOW): references/dynamic-context-injection.md describes an architecture for 'Indirect Prompt Injection' (Category 8). It recommends interpolating untrusted user-controlled data (book titles, highlights, excerpts) directly into the system prompt. Evidence Chain: 1. Ingestion points: libraryService.books, activityService.recent records (referenced in dynamic-context-injection.md). 2. Boundary markers: Absent; the implementation uses simple string interpolation within markdown headers. 3. Capability inventory: publish_to_feed, read_library, web_search, write_file. 4. Sanitization: Absent; no escaping or validation of user-provided data is discussed.
EXTERNAL_DOWNLOADS (MEDIUM): The documentation encourages implementing automated downloads and merges from remote Git repositories (git fetch origin) without verifying integrity or source beyond the repository URL.

agent-native-architecture