devin-cursorrules

The skill's self-evolution mechanism allows user corrections and feedback to be directly incorporated into the scratchpad.md file without explicit data boundary markers. The instructions state that 'Whenever you correct the AI, it can update its "lessons learned" in .cursorrules' and the scratchpad contains a 'Lessons' section that accumulates knowledge. User-provided corrections could contain instruction-like content that overrides the skill's behavior when the AI references these lessons in future interactions.

The skill includes web browsing and search engine capabilities through Playwright and DuckDuckGo integration. The instructions indicate that 'The AI automatically decides how and when to use them' based on user requests. User-provided search queries or URLs could contain shell metacharacters, additional parameters, or path traversal sequences that could alter tool behavior. For example, a user could provide search terms containing semicolons, backticks, or other shell metacharacters that might be passed unsanitized to the underlying tools.

The skill explicitly instructs the agent to update and maintain a 'lessons learned' section that persists beyond individual tasks. This creates a mechanism for information to influence future unrelated tasks through accumulated knowledge storage.

The skill describes a 'self-evolution' capability where the AI updates its behavior based on corrections. While presented as project-specific, the mechanism could potentially influence behavior on unrelated tasks if the stored lessons are broadly applicable.

The skill instructions contain multiple pip install commands for packages that are not listed in the declared dependencies. This includes cookiecutter, playwright, and other packages that are installed through commands in the tutorial and setup instructions.

The skill instructions direct users to clone an external GitHub repository using cookiecutter without pinning to a specific commit hash. The command 'cookiecutter gh:grapeot/devin.cursorrules --checkout template' references a mutable branch/tag rather than a specific commit, allowing the repository owner to modify the cloned content after the skill is published.

Adversarial finding (prompt_injection_chains): The skill's self-evolution mechanism allows user corrections and feedback to be directly incorporated into the scratchpad.md file without explicit data boundary markers. The instructions state that 'Whenever you correct the AI, it can update its "lessons learned" in .cursorrules' and the scratchpad contains a 'Lessons' section that accumulates knowledge. User-provided corrections could contain instruction-like content that overrides the skill's behavior when the AI references these lessons in future interactions.

Adversarial finding (prompt_injection_chains): The skill includes web browsing and search engine capabilities through Playwright and DuckDuckGo integration. The instructions indicate that 'The AI automatically decides how and when to use them' based on user requests. User-provided search queries or URLs could contain shell metacharacters, additional parameters, or path traversal sequences that could alter tool behavior. For example, a user could provide search terms containing semicolons, backticks, or other shell metacharacters that might be passed unsanitized to the underlying tools.

Adversarial finding (context_poisoning): The skill explicitly instructs the agent to update and maintain a 'lessons learned' section that persists beyond individual tasks. This creates a mechanism for information to influence future unrelated tasks through accumulated knowledge storage.

Adversarial finding (context_poisoning): The skill describes a 'self-evolution' capability where the AI updates its behavior based on corrections. While presented as project-specific, the mechanism could potentially influence behavior on unrelated tasks if the stored lessons are broadly applicable.

Adversarial finding (dependency_confusion): The skill instructions contain multiple pip install commands for packages that are not listed in the declared dependencies. This includes cookiecutter, playwright, and other packages that are installed through commands in the tutorial and setup instructions.

Adversarial finding (dependency_confusion): The skill instructions direct users to clone an external GitHub repository using cookiecutter without pinning to a specific commit hash. The command 'cookiecutter gh:grapeot/devin.cursorrules --checkout template' references a mutable branch/tag rather than a specific commit, allowing the repository owner to modify the cloned content after the skill is published.