The Agent Skills Directory

Indirect Prompt Injection (LOW): The skill possesses a surface for indirect prompt injection by retrieving and displaying potentially untrusted data from a memory store.
Ingestion points: Data is retrieved via search-memories.py from the mem0 memory store (Workflow Step 1 in SKILL.md).
Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present when displaying memory results.
Capability inventory: The skill has access to Bash and Read tools, which could be exploited if malicious instructions are injected into the memory and subsequently executed or acted upon by the agent.
Sanitization: There is no evidence of escaping, validation, or filtering of the content retrieved from memory before it is presented to the user or injected into the context via the anti-pattern hook described in proactive-warnings.md.
Command Execution (SAFE): The skill uses Bash to execute a local Python script within the defined plugin environment (${CLAUDE_PLUGIN_ROOT}). The parameters are fixed or derived from the workflow rather than arbitrary user input, minimizing the risk of command injection.

best-practices