The Agent Skills Directory

[DYNAMIC_EXECUTION]: The script scripts/news_sentiment.py attempts to dynamically load code from a sibling plugin directory using sys.path.insert. It targets ../../../../../crypto-news-aggregator/skills/aggregating-crypto-news/scripts to import NewsAggregator. This computed path loading is a risk if an attacker can manipulate the directory structure or place malicious files in the targeted relative path.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection via external data sources. The scripts/news_sentiment.py file fetches article titles and summaries from various RSS feeds (CoinTelegraph, CoinDesk, Decrypt). These headlines are processed and presented back to the agent without comprehensive sanitization beyond HTML tag removal. A malicious news headline could potentially contain instructions aimed at influencing the agent's subsequent actions.
Ingestion points: scripts/news_sentiment.py (via RSS feeds).
Boundary markers: None identified in the processing of news text.
Capability inventory: Execution of Python scripts via Bash tool (crypto:sentiment-*), file reading (Read).
Sanitization: Uses simple regex re.sub(r"<[^>]+>", "", title) to strip HTML, which does not prevent natural language instruction injection.
[DATA_EXPOSURE]: The documentation in references/implementation.md instructs the agent to load API credentials from {baseDir}/config/crypto-apis.env. While the skill does not provide this file itself, it defines a pattern where sensitive credentials are expected in a specific local configuration file, which could be a target for other malicious skills.

analyzing-market-sentiment