The Agent Skills Directory

[PROMPT_INJECTION] (LOW): The skill is susceptible to indirect prompt injection because it stores and later retrieves unvalidated text in the form of logs and handoffs.
Ingestion points: The read.ts script reads content from all markdown files within the .trail/notes/ directory hierarchy.
Boundary markers: Missing. Content from notes is concatenated into the agent's context with only a markdown file path header (**File**: [path]), which does not provide strong isolation for the LLM.
Capability inventory: The skill includes the ability to write files (handoff.ts, log.ts) and read files (read.ts) within the project directory.
Sanitization: The skill does not perform any sanitization or escaping of the content stored in or read from the notes files.
[COMMAND_EXECUTION] (LOW): A potential path traversal vulnerability exists in scripts/context.ts within the getNotesDir function. The parentSessionId argument is appended to the base directory path without being slugified or validated. While sessionId is truncated to 8 characters in some parts of the logic, parentSessionId is used directly, which could allow an attacker to influence the file system path if they can control the session ID inputs.

trails