The Agent Skills Directory

[Indirect Prompt Injection] (LOW): The skill implements operators designed to ingest data from external human responders which could influence agent logic.
Ingestion points: HITLOperator, HITLBranchOperator, and HITLEntryOperator ingest untrusted selections and form data.
Boundary markers: Absent; user inputs are directly passed into task results/XComs without specialized delimiters.
Capability inventory: Inputs determine DAG execution paths (branching) and are utilized in downstream Python tasks.
Sanitization: No input validation or sanitization logic is present in the provided implementation examples.
[Data Exposure & Exfiltration] (LOW): Documentation includes patterns for performing network operations to external Airflow REST APIs.
Evidence: Example code in Step 4 utilizes requests.get and requests.patch to communicate with a host defined by environment variables.
Context: While safe as a template using os.getenv, it represents an outbound network capability to non-whitelisted domains.
[Unverifiable Dependencies] (LOW): The skill relies on external libraries without specifying or pinning versions.
Evidence: Code examples require requests, pendulum, and apache-airflow-providers-standard.

airflow-hitl