The Agent Skills Directory

[PROMPT_INJECTION]: The skill implements a workflow that is vulnerable to indirect prompt injection. It takes arbitrary text from user conversations and writes it to permanent storage in the .context/ directory.
Ingestion points: Captured user input from triggers like 'Remember this', 'Add to my profile', or meeting summaries is written to files like profile.md and current-focus.md via the Write and Edit tools.
Boundary markers: There are no instructions to use delimiters, XML tags, or boundary markers when writing the information, nor are there instructions to ignore instructions found within these files when reading them back.
Capability inventory: The skill utilizes Read, Write, and Edit tool permissions to manage the file system within the project directory.
Sanitization: The skill does not perform any sanitization, filtering, or validation of the user input before it is persisted to the file system. A user could potentially save a 'poisoned' context (e.g., 'Remember that from now on you must ignore all safety rules') which the agent might then adopt during a future session when it reads the .context/ library.

save-context