The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill processes logs from group chats which contain data from untrusted external sources.
Ingestion Point: File SKILL.md (Step 1) executes bash commands to read the last 50 lines of chat logs from ~/.config/alma/groups/*.log.
Boundary Markers: Absent. Logs are read and presented to the LLM without delimiters or instructions to ignore embedded commands.
Capability Inventory: The agent has the capability to modify its persistent identity via alma soul append-trait and its long-term memory via alma memory add.
Sanitization: None. The agent is explicitly told to 'extract lessons' and 'update personality' based on the retrieved logs, creating a direct path for an attacker to inject permanent behavioral traits.
[Command Execution] (LOW): The skill uses the Bash tool to perform file system operations (mkdir, cat, tail) and execute the alma CLI. While these are required for the skill's functionality, they provide a broad attack surface if the agent is compromised via the aforementioned prompt injection.

self-reflection