The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its data ingestion and distillation pipeline. It analyzes untrusted external content, such as WeChat or Feishu chat transcripts and email archives, to build persona models.
Ingestion points: Untrusted data enters the agent context through the parsing scripts located in the tools/ directory (e.g., email_parser.py, wechat_parser.py).
Boundary markers: The system lacks explicit boundary markers or delimiters to protect the LLM from being influenced by instructions embedded within the processed chat logs or emails.
Capability inventory: The skill maintains broad permissions, including Bash, Read, Write, and Edit, and generates new sub-skills that are user-invocable.
Sanitization: There is no evidence of sanitization or instruction-filtering applied to the output of the analyzers before it is written into the new judgment.md or SKILL.md files.
[COMMAND_EXECUTION]: The skill uses the Bash tool to execute a suite of local Python utilities (tools/skill_writer.py, tools/version_manager.py, etc.). These utilities perform extensive file system operations, including creating directories, writing new executable agent skills, and managing versions through directory deletion and copying. This 'skill factory' mechanism essentially creates a runtime-extensible environment for the agent based on processed data.

create-boss