The Agent Skills Directory

[PROMPT_INJECTION]: The skill implements a self-modification loop described in the 'How to update skills' section. It directs the agent to evaluate 'all activities done previously' and incorporate 'successful techniques' or 'discoveries' into the skill's reference files. This persistence of session data into the skill definition allows for potential indirect prompt injection.
[PROMPT_INJECTION]: Ingestion points: The agent is instructed to use its own session history and findings from analyzed content as the source for updating its instructions.
[PROMPT_INJECTION]: Boundary markers: The skill includes 'Strict constraints' intended to prevent the inclusion of target-specific data, such as IPs or hostnames, but these markers do not prevent the persistence of malicious logic or biased instructions if they are perceived as generalizable patterns.
[PROMPT_INJECTION]: Capability inventory: The skill's primary function includes writing to and modifying files within the agent's skill directory structure (e.g., '.claude/skills/').
[PROMPT_INJECTION]: Sanitization: There are no explicit validation or sanitization steps for the 'discoveries' made by the agent before they are written to the skill files, relying solely on the agent's judgment to generalize the content safely.

skill-update