The Agent Skills Directory

EXTERNAL_DOWNLOADS (HIGH): The skill extensively uses npx agentdb@latest for initialization, querying, and performance benchmarking. This pattern fetches and executes the most recent version of the agentdb package from the npm registry. Since the package is not from a trusted organization (as defined in the TRUST-SCOPE-RULE), this constitutes downloading and executing unverifiable remote code.
REMOTE_CODE_EXECUTION (HIGH): Instructions for setting up the MCP server (claude mcp add agentdb npx agentdb@latest mcp) create a persistent remote execution vector. Whenever the agent uses this tool, it will execute code downloaded on-the-fly from the npm registry.
COMMAND_EXECUTION (MEDIUM): The skill provides numerous CLI commands that interact with the local file system (migrate --source, init ./agents.db, export ./backup.json). If the dynamically downloaded agentdb package were compromised, these commands would grant an attacker full access to read or write local files.
DYNAMIC_EXECUTION (MEDIUM): The create-plugin functionality allows the agent to generate and potentially load new logic based on templates (e.g., decision-transformer). This dynamic assembly of logic from external templates increases the attack surface for malicious code injection.
INDIRECT_PROMPT_INJECTION (LOW): This skill has a significant ingestion surface as it stores conversation data as 'patterns' and retrieves them to 'synthesize context'.
Ingestion points: adapter.insertPattern and adapter.retrieveWithReasoning in SKILL.md.
Boundary markers: Absent. No evidence of delimiters or instructions to the LLM to ignore embedded commands in retrieved memory.
Capability inventory: The skill has file system access (via CLI) and network-adjacent capabilities (via MCP/npx).
Sanitization: Absent. Data is stored and retrieved as raw JSON strings without visible escaping.

AgentDB Memory Patterns