The Agent Skills Directory

[COMMAND_EXECUTION]: The skill's solidification process in src/gep/solidify.js executes validation commands defined in 'Gene' assets via execSync. Although a safety check (isValidationCommandAllowed) restricts commands to node, npm, or npx and prohibits shell operators, the underlying Node.js process can still be used to execute arbitrary logic if the command arguments are maliciously crafted. This capability is central to the tool but poses a risk if Gene definitions are compromised or incorrectly generated. Additionally, various operation modules in src/ops/ use execSync for process management and file system cleanup.
[PROMPT_INJECTION]: The system is highly exposed to indirect prompt injection. In src/evolve.js, the engine ingests content from USER.md, MEMORY.md, and session logs (.jsonl), which are then interpolated into prompts for the executor agent. Malicious instructions embedded in these files by an external actor could influence the agent's autonomous code-writing and execution phases. The skill also performs identity injection, defining the agent as a 'Recursive Self-Improving System'.
[EXTERNAL_DOWNLOADS]: The skill integrates with external hubs (evomap.ai, clawhub.ai) to synchronize tasks and evolution assets. While intended for collaborative improvement, downloading and promoting executable 'Gene' assets from external sources introduces a potential risk, even with the provided manual promotion and validation steps.
[DATA_EXFILTRATION]: The engine reads sensitive information such as session transcripts, project memory, and environment variables. Although src/gep/sanitize.js implements a redaction mechanism to filter out secrets like Bearer tokens and local paths before data is shared with the hub, the broad read permissions and outbound communication to the task hub and GitHub API present a potential data exposure vector.

capability-evolver