The Agent Skills Directory

[COMMAND_EXECUTION]: The skill defines an 'Autonomous Execution Protocol' in di/SKILL.md that explicitly instructs the agent to 'directly enter execution, do not wait for confirmation' if confidence exceeds 85%. It lists high-impact activities such as scanning existing code, creating modules, migrating call points, and updating tests as operations to be performed without user intervention.
[PROMPT_INJECTION]: In SKILL.md, the skill uses directive language to override standard agent-user interaction patterns, stating that 'routing is internal' and 'not exposed to the user'. This encourages the agent to suppress transparency and prioritize its internal state transitions over user visibility.
[COMMAND_EXECUTION]: The skill contains logic in tian/SKILL.md and ren/SKILL.md to automatically modify local data files (graph.json, zhen-log.json) and generate 'evolution' suggestions that modify the skill's own operational rules.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted 'seeds' from user input in tian/SKILL.md, stores them in a persistent knowledge graph, and later processes these stored inputs as the basis for autonomous code execution in di/SKILL.md without sanitization or boundary markers. • Ingestion points: tian/SKILL.md (Step 1
Receive seed). • Boundary markers: Absent. The skill lacks instructions to delimit or ignore embedded commands within user-provided seeds. • Capability inventory: di/SKILL.md (Code refactoring, module creation, and test modification capabilities). • Sanitization: Absent. There is no evidence of filtering or validation for the content of seeds before they are used to drive execution logic.

sancai-zhen