The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill's primary function is to ingest session transcripts—which are attacker-controllable via tool outputs, web content, or terminal data captured in logs—and use them to generate instructions for the agent to modify its own skills.
Ingestion points: The analyze_session.py script reads transcript files (e.g., /tmp/session.md) containing raw historical session data.
Boundary markers: No boundary markers or delimiters are specified to separate untrusted transcript content from the analysis instructions.
Capability inventory: The skill is granted Write, Edit, and Bash permissions, which allows it to modify permanent configuration files or execute system commands based on the generated analysis.
Sanitization: No evidence of sanitization or filtering of instructions embedded within the transcripts is provided.
[Data Exposure] (HIGH): Session transcripts processed by this skill inherently contain sensitive information, including user queries, file paths, and potentially API keys or secrets exposed during previous debugging sessions. The extraction of this data to shared locations like /tmp/ increases the local exposure risk.
[Command Execution] (MEDIUM): The skill relies on executing local Python scripts (extract_session.py, analyze_session.py) via the uv run command. While these are part of the skill, they perform high-privilege operations such as reading session databases and writing to the file system.

improve-skill