The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill is primarily designed to ingest external workflow data (JSON or descriptions) and use it to drive logic, architecture decisions, and code generation.
Ingestion points: The orchestrator in SKILL.md and the auditor in skills/n8n-validation-expert/SKILL.md are designed to process user-provided n8n workflow definitions.
Capability inventory: The agent has the ability to generate executable JavaScript (skills/n8n-code-javascript/SKILL.md) and configure Model Context Protocol (MCP) clients that execute local shell commands.
Boundary markers: There are no explicit instructions or delimiters defined to separate user-provided data from system instructions, nor instructions to ignore natural language commands embedded in the workflow JSON.
Sanitization: While the skill provides a checklist for the user's workflow to be secure, it lacks self-protection against malicious instructions within the data it audits.
[Remote Code Execution] (LOW): The skill facilitates the download and execution of remote packages via npx for MCP servers.
Evidence: Found in skills/n8n-mcp-tools-expert/references/mcp-servers-compatibles.md (e.g., npx -y @modelcontextprotocol/server-filesystem).
Trust Status: These packages originate from the @modelcontextprotocol organization, which is considered a reputable source. Per [TRUST-SCOPE-RULE], this finding is downgraded to LOW.
[Command Execution] (MEDIUM): The skill provides templates for the agent to configure shell-based tools that interact with the host filesystem and databases.
Evidence: Configuration examples in skills/n8n-mcp-tools-expert/SKILL.md use command: "npx" and args: [...] to interact with the local environment.
Risk: If the agent is successfully injected, an attacker could attempt to manipulate these command arguments to gain broader access to the host system.

n8n-architect