The Agent Skills Directory

[COMMAND_EXECUTION]: Path traversal vulnerability in categorize.sh. The script utilizes user-provided arguments $NAME and $SOURCE in mv and cat operations without sanitization. An attacker can use traversal sequences (e.g., ../../) to target files outside the intended memory directory, potentially overwriting critical system files like ~/.bashrc or ~/.ssh/authorized_keys.\n- [COMMAND_EXECUTION]: Argument injection vulnerability in search.sh. The script passes the unsanitized $QUERY variable directly to the grep command. This allows an attacker to inject grep flags such as -f, which can be used to read arbitrary files from the filesystem or manipulate search output to expose sensitive information.\n- [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection. It retrieves and processes content from markdown files stored in the workspace, which could contain malicious instructions designed to hijack the agent's behavior.\n
Ingestion points: Files within memory/episodic/, memory/semantic/, and memory/procedural/ are read by search.sh and snapshot.sh.\n
Boundary markers: None. The scripts lack markers or instructions to the LLM to ignore potentially malicious embedded content.\n
Capability inventory: The skill has the ability to read, move, and overwrite files via standard shell utilities.\n
Sanitization: There is no validation or filtering of content retrieved from the memory files before it is returned to the agent context.

memory-manager