The Agent Skills Directory

[PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8). It is designed to ingest untrusted data from external sources and use it to drive agent behavior and output generation without any sanitization or boundary markers.
Ingestion points: Untrusted data enters the agent context through WebSearch operations (referenced in REFERENCE.md) and by reading/grepping user-provided repositories and documents (referenced in SKILL.md).
Boundary markers: The skill does not define any delimiters or provide instructions to the agent to ignore or isolate embedded commands found within the external content.
Capability inventory: The skill allows the use of Write, Read, and Grep tools. This provides a significant attack surface where an injection could lead to unauthorized file modification, data exposure, or redirection of the workflow.
Sanitization: There is no evidence of content validation, escaping, or filtering of the external data before it is processed or used in templates.
[EXTERNAL_DOWNLOADS] (LOW): The research workflow in REFERENCE.md explicitly instructs the agent to use WebSearch to gather information from arbitrary external domains. This is a standard functional requirement for a research skill but represents a consistent external data ingestion channel.
[COMMAND_EXECUTION] (LOW): The skill utilizes the Grep and Write tools to perform its core functions. While these are legitimate tools for its purpose, they grant the agent the ability to interact with the filesystem, which increases the impact of any successful prompt injection attack.

bmad-discovery-research