The Agent Skills Directory

[COMMAND_EXECUTION]: The skill contains instructions for a 'Hardened Bootstrap' phase (documented in SKILL.md and QUICKSTART.md) that executes rm -rf .agent .agents .gemini .claude. This command deletes configuration and metadata directories used by various AI agent platforms, which may contain sensitive session tokens, API keys, local history, or environment configurations.
[PROMPT_INJECTION]: The skill's core architecture (detailed in references/program.md and references/research/karpathy-autoresearch-3-file-eval.md) mandates a 'NEVER STOP' protocol. This directive explicitly instructs the agent to ignore human interruption and continue autonomous loops indefinitely, which can result in unintended compute resource consumption and persistent execution without oversight.
[DATA_EXFILTRATION]: The skill orchestrates synchronization with remote repositories using git push origin main. While this is part of the intended ledger-keeping workflow, it facilitates the transmission of skill content, historical traces, and experimental results to a user-defined external server.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it autonomously processes, modifies, and evaluates untrusted content from SKILL.md files and evals.json test fixtures. This ingestion surface allows potentially malicious instructions to enter the agent's context during the recursive optimization loop.

os-eval-runner