The Agent Skills Directory

[COMMAND_EXECUTION] (MEDIUM): The skill uses the fs_write action to save files to paths constructed from user-controlled variables like {{topic}} and {{lang}}. There are no explicit instructions to validate or sanitize these inputs to prevent path traversal sequences (e.g., ../). An attacker could potentially craft a topic name that causes the agent to overwrite sensitive system files or write files outside the intended .knowledge/ directory.
[Indirect Prompt Injection] (LOW): The skill processes and stores untrusted user data (URLs, note content, and code snippets) without using boundary markers or safety instructions to ignore embedded commands within that data. * Ingestion points: User input provided for {{URL}}, {{Topic}}, {{content}}, and {{code}} fields in SKILL.md. * Boundary markers: No delimiters or 'ignore' instructions are present to separate user content from system instructions. * Capability inventory: The skill has the capability to write to the file system (fs_write). * Sanitization: There is no evidence of input validation, escaping, or filtering of the external content before it is processed and stored.

knowledge