The Agent Skills Directory

PROMPT_INJECTION (HIGH): The skill is vulnerable to Indirect Prompt Injection (Category 8) by design. It retrieves arbitrary data from an external knowledge base and uses it to 'enrich' reasoning.
Ingestion points: Data is ingested via get_memory, list_keys, and discover_memories calls to the ensue-network.ai API.
Boundary markers: Absent. The instructions do not specify any delimiters or warnings to ignore instructions embedded within retrieved memories.
Capability inventory: The skill can execute shell scripts (ensue-api.sh), delete data (delete_memory), and share access (share).
Sanitization: Absent. There is no mention of filtering or escaping content retrieved from the external source before it is processed by the agent.
COMMAND_EXECUTION (MEDIUM): The skill uses bash to execute ${CLAUDE_PLUGIN_ROOT}/scripts/ensue-api.sh.
Evidence: Arguments for the script are constructed as JSON strings which may include external data. If the wrapper script does not strictly handle shell escaping for these arguments, it could lead to command injection.
DATA_EXFILTRATION (MEDIUM): The skill facilitates the transfer of user conversation data and 'memories' to an external domain (ensue-network.ai).
Evidence: This domain is not part of the trusted whitelist. While this is the intended functionality of the memory network, it represents a persistent outflow of potentially sensitive user data to a third-party service.
CREDENTIALS_UNSAFE (LOW): The skill relies on the $ENSUE_API_KEY environment variable.
Evidence: While the skill instructions correctly warn against logging or echoing the key, the key is passed into a shell environment where it may be exposed in process trees or logs depending on the execution environment's configuration.

ensue-memory