The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill creates a significant attack surface by ingesting untrusted data from external sources and providing high-privilege write/execute capabilities.
Ingestion points: The read_document, list_documents, and get_document_info operations in docs_operations.py ingest content from arbitrary Google Docs which can be controlled by external parties.
Boundary markers: No boundary markers or instructions to ignore embedded commands are present in the skill definition.
Capability inventory: The skill can create, append, and replace text in documents, and export data to the local file system (export_document).
Sanitization: There is no evidence of sanitization or filtering for content retrieved from documents before it is processed by the agent.
Command Execution (MEDIUM): The skill frequently executes local Python scripts (docs_operations.py, google_auth.py) via the shell. If the agent allows unsanitized document content to be passed as arguments (e.g., document titles or search queries), it could lead to command injection, although the current implementation uses structured arguments.
Data Exposure (LOW): The export command allows writing document content to the local filesystem (--output ./report.pdf). While intended for reports, an attacker could potentially use this to write files to sensitive locations if the output path is influenced by untrusted data.

google-docs