The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and processes untrusted session history to generate new agent rules. ● Ingestion points: Analyzes session events and tool results via 'pi-read-session' and 'pi-session-events'. ● Boundary markers: No explicit delimiters are specified to isolate untrusted session data from the agent's reasoning logic during the improvement phase. ● Capability inventory: Has the ability to modify 'agent/APPEND_SYSTEM.md' and 'AGENTS.md', which control universal agent guidelines and project-specific rules. ● Sanitization: No sanitization or validation of the discovered patterns is performed before they are incorporated into core instruction files.
[COMMAND_EXECUTION]: The skill facilitates the creation of automated hooks that execute system commands. ● Evidence: The 'agent/extensions/hooks/defaults.json' format allows for defining commands like 'formatter "${file}"'. If the pattern discovery process extracts a malicious pattern or command from a session log, it could result in the creation of a hook that executes unauthorized code whenever specific conditions are met.

self-improve