The Agent Skills Directory

[DATA_EXFILTRATION]: The read-memory.sh script is vulnerable to path traversal. It accepts absolute paths starting with / or relative paths using ../ without sanitization, allowing the agent to read sensitive files anywhere on the system (e.g., ~/.ssh/id_rsa, /etc/passwd).\n- [COMMAND_EXECUTION]: The write-memory.sh and append-history.sh scripts are vulnerable to path traversal when creating or updating memory files. By providing a crafted name (e.g., ../../../.bashrc), an attacker could overwrite critical system configuration files, potentially leading to arbitrary command execution when the user opens a new terminal.\n- [PROMPT_INJECTION]: The skill facilitates indirect prompt injection by design. It automatically saves 'learned' user preferences and AI lessons into identity files (AI.md, you.md) which are explicitly loaded into the agent's context at the start of every session. Malicious instructions provided in one conversation can thus be 'remembered' and executed in subsequent sessions. Evidence: session.sh loads these files at start, while write-memory.sh updates them based on session observations without sanitization or boundary markers.\n- [COMMAND_EXECUTION]: The recall.sh script uses grep on user-controlled file content. While less severe than the path traversal issues, unsanitized keyword inputs could potentially be used to influence grep behavior via command-line flags.

ai-brain