The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted audio transcriptions without adequate safeguards.
Ingestion points: In index.ts, the handleTranscript function receives the transcribed text directly from the voice recording session initiated by users in Discord.
Boundary markers: The skill does not use delimiters, such as XML tags or markdown blocks, nor does it provide instructions to the agent to ignore embedded commands when processing the user's speech.
Capability inventory: The agent is explicitly granted access to its full suite of tools and skills during voice interactions, as confirmed by the runEmbeddedPiAgent configuration in index.ts and mentioned in the project's CHANGELOG.md.
Sanitization: No validation, filtering, or sanitization is performed on the transcription before it is interpolated into the agent's prompt.
[REMOTE_CODE_EXECUTION]: The plugin performs dynamic loading of JavaScript modules from computed filesystem paths.
Evidence: In src/core-bridge.ts, the importCoreModule function uses a dynamic import() statement to load modules from a path derived from the CLAWDBOT_ROOT environment variable. This pattern of dynamic loading from computed paths allows for the execution of code from dynamically determined filesystem locations, which could be exploited if the environment or local filesystem is manipulated.

discord-voice