The Agent Skills Directory

[Prompt Injection] (HIGH): The skill is highly susceptible to Indirect Prompt Injection (Category 8) due to its core design of ingesting untrusted data from multiple enterprise sources without security boundaries.
Ingestion points: As defined in examples/3p-updates.md, examples/company-newsletter.md, and examples/faq-answers.md, the skill proactively reads from Slack channels, corporate Email, Google Drive documents, Calendar events, and External Press articles.
Boundary markers: Absent. The instructions do not define delimiters (like XML tags or triple quotes) to separate the data being summarized from the system's instructions, nor do they include 'ignore embedded instructions' warnings.
Capability inventory: The skill possesses extensive read access to sensitive organizational data. While its primary output is natural language (newsletters, FAQs), these outputs are intended for wide internal distribution, creating a high-impact channel for spreading malicious content or links if the AI is manipulated by an attacker-controlled Slack post or document.
Sanitization: Absent. There is no requirement for the agent to validate or sanitize the content it retrieves from external sources before incorporating it into reports.
[Data Exposure] (MEDIUM): The instructions in examples/company-newsletter.md and examples/3p-updates.md specifically direct the agent to seek out documents from 'critical team members' and 'executives.' This focus increases the risk that sensitive, non-public information retrieved from private or semi-private contexts (like executive emails) could be inadvertently leaked into broader company-wide summaries if the AI's summarization threshold is too low.

internal-comms