The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its data ingestion process. It retrieves "improvement suggestions" from an external database (v_improvement_suggestions) to generate file modifications.
Ingestion points: SQL queries to a Supabase database in SKILL.md.
Boundary markers: Absent; the skill does not use delimiters or instructions to distinguish between trusted logic and potentially untrusted "learned" patterns.
Capability inventory: Modifies workspace configuration files (ccpm-config.yaml), updates agent routing (agents/router.md), and performs file system writes for backups and updates.
Sanitization: While it performs basic syntax validation, it lacks semantic security validation to prevent the application of malicious logic injected via the database.
[COMMAND_EXECUTION]: The skill performs self-modification of the agent's operational environment. By updating rules (e.g., code_coverage_threshold) and routing configurations, the skill can fundamentally alter agent behavior. This capability could be abused to weaken security thresholds or redirect sensitive tasks to sub-agents controlled by an attacker if the underlying patterns are manipulated.
[DATA_EXFILTRATION]: The skill maintains active network communication with a Supabase database instance. While intended for legitimate logging and state management, this persistent network channel represents a potential egress path for exfiltrating information from the user's workspace under the guise of reporting "learned patterns".

self-improve