The Agent Skills Directory

[COMMAND_EXECUTION]: The queue_external_memory function in SKILL.md is vulnerable to shell command injection. It uses an unquoted heredoc (<< EOF) to process the $content variable. In bash, unquoted heredocs perform variable expansion and command substitution, which allows any malicious input containing patterns like $(command) to be executed by the shell when the function is called.
[PROMPT_INJECTION]: The skill facilitates Indirect Prompt Injection by design. It provides tools to ingest unsanitized external content into 'pending memory' files and later retrieves that content to provide context to the agent during searches. Malicious instructions embedded in the ingested data could be interpreted and followed by the agent in subsequent sessions.
Ingestion points: external-content-queue.sh (function queue_external_memory) in SKILL.md.
Boundary markers: The skill uses markdown headers and code blocks but lacks explicit safety instructions or delimiters to warn the agent against following embedded commands.
Capability inventory: Includes extensive file system manipulation, shell script execution, and search capabilities across the workspace.
Sanitization: No input validation, escaping, or filtering is applied to the external content before it is stored in the memory system.
[COMMAND_EXECUTION]: The skill includes a 'memory-maintenance-cron.txt' file that provides instructions for setting up persistent scheduled tasks (cron jobs). While presented as maintenance, this establishes a persistence mechanism that ensures scripts are executed automatically on the host at regular intervals.
[COMMAND_EXECUTION]: Multiple scripts in SKILL.md (e.g., memory-search.sh, monthly-archive.sh) perform broad file system operations like find, mv, and rm. These scripts utilize variables for search queries and dates which, if not strictly controlled or sanitized, could be abused to access or modify unintended files.

agent-memory-patterns