The Agent Skills Directory

[COMMAND_EXECUTION]: The skill heavily relies on read_file and write_file to manage 'card' instances and 'activation records'. The worm-pointer example provides methods like EAT and CHOMP to ingest file content and POOP or BARF to write/append data elsewhere in the filesystem, which could be used to manipulate sensitive files.
[PROMPT_INJECTION]: The skill defines a 'Dynamic Execution' framework in moollm-fluxx-cards.yml using verbs such as EVAL, EVAL-AS-CARD, and ACTIVATE-DATA. These methods instruct the agent to treat data found in 'data items' (YAML cards) as executable instructions ('advertisements'), making the agent vulnerable to instructions embedded in external files.
[DATA_EXFILTRATION]: The worm-pointer and worm-sitemap-caster patterns describe a cursor-based approach to traversing directories and extracting metadata or content ('eating'). While no outbound network tools are explicitly listed in the frontmatter, this pattern provides the necessary primitives for unauthorized data access and staging for exfiltration.
[PROMPT_INJECTION]: The 'Fluxx' mechanic described in FLUXX.md and moollm-fluxx-cards.yml allows for 'self-modifying' behavior where cards can change the room.rules or allowed_actions. An attacker could use this to disable safety constraints or restrict legitimate agent behavior.
[PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection through its ingestion points.
Ingestion points: The skill reads untrusted data from YAML files via read_file during 'card activation' and 'worm crawling' processes.
Boundary markers: There are no explicit boundary markers or instructions to ignore embedded commands within the ingested card data.
Capability inventory: The skill has access to read_file, write_file, and list_dir. The EVAL logic allows these tools to be used based on data-driven instructions.
Sanitization: No sanitization or validation of the 'advertisement' content is performed before the agent 'resolves' it as an action.

card