The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from user-provided URLs or text and incorporates this data into its persistent memory and decision-making process.
Ingestion points: Untrusted data enters the agent context through the primary content URL or text argument specified in the SKILL.md frontmatter.
Boundary markers: The instructions lack explicit boundary markers or directives to the agent to isolate the user-provided content from its core instructions, increasing the risk that embedded commands in the input could be followed.
Capability inventory: The skill is instructed to write summaries and decisions to the local file system (specifically the memory/ directory, including memory/content/, memory/hot-cache.md, and memory/decisions.md) as noted in SKILL.md and the Handoff section.
Sanitization: There is no documentation of sanitization, validation, or filtering of the external content before it is processed or stored in the agent's long-term memory.
[NO_CODE]: The skill consists exclusively of markdown documentation and instructional prompts for the agent. It does not contain or execute any accompanying scripts or binary files, which significantly limits its potential for direct malicious impact on the host system.

geo-content-optimizer