The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill uses the pickle module to deserialize local data files in scripts/cortex.py, scripts/embeddings.py, and scripts/consolidate.py. Deserialization of data using pickle is unsafe and can result in arbitrary code execution if the files are tampered with.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It ingests data from tool responses and session transcripts, storing them in a database, and subsequently injects this unvalidated content into the agent's prompt context during future interactions. Ingestion points: on_stop.py (transcript parsing) and on_tool_failure.py (tool output capture). Boundary markers: Present in on_prompt_submit.py and on_session_start.py as markdown section headers, though these are not robust against adversarial content. Capability inventory: The agent possesses standard tool capabilities; injected text can influence the agent's decision-making regarding these tools. Sanitization: The skill relies on LLM-based extraction which is an insufficient security filter for adversarial injection patterns.
[DATA_EXFILTRATION]: The dashboard.py script initializes a web server listening on 0.0.0.0, making the session memory database accessible to any device on the local network. Furthermore, the scripts/bootstrap.py utility accesses the user's entire Claude projects directory at ~/.claude/projects to mine historical data.
[EXTERNAL_DOWNLOADS]: The skill requires the installation of external Python dependencies such as scikit-learn and numpy and communicates with remote LLM API endpoints (e.g., OpenRouter, OpenAI) to perform its core functions.
[COMMAND_EXECUTION]: The skill implements a monitoring hook (on_pre_bash.py) that evaluates and can programmatically block bash commands if they match known anti-patterns stored in its database.

capy-cortex