The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill is designed to perform "introspection without instrumentation" by reading untrusted external data to reconstruct its internal stack.
Ingestion points: Uses session_log, room_state, chat_context, and file_timestamps as primary evidence sources in the Dynamic Deoptimization section.
Boundary markers: Absent. The instructions encourage the LLM to "examine" and "synthesize" a virtual stack trace directly from the narrative trail without delimiters or safety warnings.
Capability inventory: The skill is granted read_file and write_file permissions. This creates a high-risk path where poisoned logs (containing instructions disguised as room descriptions or chat history) could trick the agent into performing unauthorized file writes when "restoring context."
Sanitization: None detected. The logic relies on "reconstructed causality" from potentially attacker-controlled session history.
Data Exposure (LOW): The "Portable Journey" feature encourages saving and sharing the stack (which includes room paths and context) with others. If the navigation history contains sensitive file paths or data extracted via read_file, this could facilitate accidental exposure.

return-stack