The Agent Skills Directory

[COMMAND_EXECUTION]: The cleanup utility in src/ops/cleanup.js incorrectly handles file deletion by concatenating file paths into a shell command string (rm -f). Because filenames are not sanitized for shell metacharacters (like $(...)) beyond simple double-quoting, an attacker who can influence file creation in the evolution directory could execute arbitrary shell commands when the cleanup task runs.
[PROMPT_INJECTION]: The skill's core logic involves reading session logs (.jsonl files) which contain untrusted user messages. These logs are processed and injected into prompts for a sub-agent with the capability to write files and modify the repository. This represents a significant attack surface for indirect prompt injection where a user message could influence the autonomous modifications made to the system.
[COMMAND_EXECUTION]: The validation mechanism in src/gep/solidify.js executes shell commands defined in Gene assets. While a safety check (isValidationCommandAllowed) is performed on the command prefix and specific shell operators, the contents of these genes can be influenced by the agent's output, potentially allowing for code execution through allowed prefixes like node -e.
[EXTERNAL_DOWNLOADS]: The skill communicates with an external hub (evomap.ai) to fetch tasks and reusable evolution assets. While it includes verification steps for these assets, it introduces a dependency on the security and integrity of the remote hub.

capability-evolver