The Agent Skills Directory

[CREDENTIALS_UNSAFE] (MEDIUM): The skill provides instructions to configure a local Git credential helper that echoes the LETTA_API_KEY in plain text using a shell function (!f() { echo "password=$LETTA_API_KEY"; }; f). This practice exposes the sensitive API key in the process list and the repository's local configuration file.
[COMMAND_EXECUTION] (MEDIUM): The skill requires the agent to execute a variety of shell commands, including git config, curl, and shell-based hooks. The installation of a pre-commit hook is a persistence mechanism that executes code automatically during Git operations.
[EXTERNAL_DOWNLOADS] (LOW): The skill performs git clone operations from a remote URL defined by $LETTA_BASE_URL. While this is the intended purpose, it involves downloading data from a variable external source.
[DATA_EXFILTRATION] (LOW): The skill enables the bidirectional sync of agent memory to a remote Git repository. This constitutes an authorized data exit point for the agent's internal state.
[INDIRECT_PROMPT_INJECTION] (LOW):
Ingestion points: The agent reads markdown files from the memory/system/ directory of a remote Git repository.
Boundary markers: The skill enforces YAML frontmatter validation but does not provide clear delimiters or instructions to ignore malicious content within the body of the memory blocks.
Capability inventory: The agent has the capability to write files, modify Git configurations, and send network requests via curl based on instructions it might process.
Sanitization: There is no evidence of content sanitization for the markdown body; only metadata (frontmatter) is validated for specific fields.

syncing-memory-filesystem