The Agent Skills Directory

[PROMPT_INJECTION]: The skill establishes a mechanism for 'institutional memory' by reading content from context/, research/, and docs/ directories. This creates a significant surface for indirect prompt injection, where malicious instructions hidden in external data (like research papers or project files) could be adopted by the agent as permanent context.
Ingestion points: Files located in context/, companies/, docs/, research/, and PROJECT.md are read at the start of every conversation.
Boundary markers: No delimiters or warnings to ignore embedded instructions are specified for the context files.
Capability inventory: The skill can write files to the workspace, create new agent skills in .cursor/skills/, and define new rules in .cursor/rules/.
Sanitization: No escaping or validation of the content being saved to the workspace is mentioned.
[COMMAND_EXECUTION]: The instructions direct the agent to dynamically generate and save new skills and rules into configuration directories (.cursor/skills/, .agents/skills/, .cursor/rules/). This allows for the creation of persistent, executable logic that survives across sessions and could be manipulated by an attacker to gain long-term control over agent behavior.
[DATA_EXFILTRATION]: The skill requires the agent to read sensitive strategic documents, including product positioning, goals, and internal research. While no network exfiltration code is present in this skill, the systematic aggregation of sensitive data creates a high-impact target for other skills or tools that do possess network access.
[PROMPT_INJECTION]: The skill instructs the agent to 'Don't ask permission for small context saves' and to act 'proactively'. This design reduces user oversight and could allow an agent influenced by an injection to silently modify the workspace or poison its own long-term memory without the user's knowledge.

saving-workspace-context