The Agent Skills Directory

[COMMAND_EXECUTION]: The skill documentation defines several fields specifically intended to store and execute arbitrary shell commands.
In tasks.md, the action field is used for task-related commands, such as cd ecommerce-backend && npm test && npm run deploy:staging.
In monitors.md, the command and autoRemediate fields contain executable logic for system monitoring and recovery, such as systemctl restart postgresql, pm2 restart api-server, and complex pipelines like df -h / | awk 'NR==2 {print $5}' | tr -d '%'.
[PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection because it processes and potentially executes data stored in local files that the agent updates based on external interactions.
Ingestion points: Files located in .aiter/memory/ (specifically tasks.md, monitors.md, and knowledge.md) serve as the source of truth for agent actions.
Boundary markers: The file formats lack delimiters or instructions to ignore embedded commands when processing these files.
Capability inventory: The agent can execute subprocesses and system-level commands (e.g., systemctl, npm, pm2) based on the content of the memory files.
Sanitization: There is no mention of validation, escaping, or sanitization for the strings retrieved from the memory files before they are passed to a shell for execution.

memory