The Agent Skills Directory

[DATA_EXFILTRATION]: The skill documents and enables access to the local filesystem through the file() function, which explicitly supports absolute paths (e.g., /users/username/path/to/file.txt). This allows reading sensitive system or user files. When combined with the fetch() function, this capability could be used to exfiltrate file contents to remote servers.
[COMMAND_EXECUTION]: The "Function Fetching" feature allows for the execution of arbitrary synchronous or asynchronous JavaScript/TypeScript logic at build or runtime. This enables unverified code execution within the environment where the content is processed.
[EXTERNAL_DOWNLOADS]: The skill utilizes the fetch() function to retrieve data from external URLs, which allows for the dynamic inclusion of remote content. This can be exploited to download malicious payloads or interact with untrusted services.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its content processing nodes. 1. Ingestion points: External data via fetch(), local file content via file(), and variables interpolated into insert() templates. 2. Boundary markers: Documentation lacks explicit delimiters or instructions to ignore instructions within dynamic content. 3. Capability inventory: Network access (fetch), file access (file), and logic execution (Function Fetching). 4. Sanitization: While tagfilter is mentioned for Markdown, no sanitization is defined for other insertion points.

intlayer-content