The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through its ingestion of external data. Ingestion points: The skill reads data from "Serena MCP memory" keys using the read_memory tool as described in Step 2 of SKILL.md. Boundary markers: There are no markers or instructions provided to the agent to treat the content of the memories as data rather than instructions. Capability inventory: The skill is designed for use in agents like Claude Code or Cursor, which typically possess file system and shell execution capabilities. Sanitization: The skill lacks any sanitization or verification steps for the loaded content. The explicit instruction to "Follow cross-references found in loaded memories ('MUST read', 'also read')" establishes a chain of trust that could be exploited by malicious data to force the agent to load and potentially execute further malicious content or instructions.

load