The Agent Skills Directory

[PROMPT_INJECTION]: The skill documentation and implementation create a surface for indirect prompt injection.
Ingestion points: scripts/soul_guardian.py reads the contents of workspace files (such as SOUL.md and USER.md) to detect drift and generate diffs.
Boundary markers: The human-readable alert output generated by format_alert_human includes raw fragments of the drifted file content. There are no explicit instructions or delimiters telling the agent to treat the relay of this content as untrusted.
Capability inventory: The skill possesses file-write capabilities (restore, approve, patches) and the ability to modify system service configurations (launchctl).
Sanitization: The script does not sanitize or escape the drifted content before including it in the alert strings intended for agent relay.
[COMMAND_EXECUTION]: The scripts/install_launchd_plist.py script executes the macOS system command /bin/launchctl. This is used for the legitimate primary purpose of installing a background service to provide continuous file integrity monitoring, but it involves programmatic interaction with system-level services.

soul-guardian