The Agent Skills Directory

[Data Exposure] (MEDIUM): The mcp__plugin_episodic-memory_episodic-memory__read tool (referred to as show in the main skill file) accepts an absolute file path as a parameter. While its intended use is for reading conversation logs stored in ~/.config/superpowers/, the lack of path validation or sandboxing within the skill's description could allow an agent to be manipulated into reading sensitive system files (e.g., SSH keys, credentials) if an attacker can influence the path string.
[Indirect Prompt Injection] (LOW): The skill is designed to ingest and process data from past conversations, which constitutes untrusted external data.
Ingestion points: The search and read tools fetch content from JSONL files on disk.
Boundary markers: Absent. The instructions do not provide delimiters or warnings to the agent to ignore instructions contained within the retrieved history.
Capability inventory: The agent has the ability to read local files and potentially perform other actions based on retrieved 'decisions' or 'patterns'.
Sanitization: Absent. No evidence of escaping or filtering content retrieved from the episodic memory.
[Metadata Poisoning] (MEDIUM): There is a functional discrepancy between SKILL.md and MCP-TOOLS.md. The main skill file instructs the agent to use a show tool, while the reference documentation only defines a read tool (mcp__plugin_episodic-memory_episodic-memory__read). This inconsistency can lead to tool execution failures or unexpected agent behavior.

remembering-conversations