The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill establishes a high-severity vulnerability surface by guiding the agent to process untrusted external content (agent manifests and credentials) while granting the capability to perform high-stakes actions like cryptographic signing and code modification.
Ingestion points: External files such as agent-manifest.json, .beltic.yaml, and JSON schema definitions in beltic-spec/.
Boundary markers: Absent; the skill lacks specific delimiters or instructions for the agent to ignore embedded commands within processed data.
Capability inventory: The agent is authorized to run beltic sign, beltic keygen, and beltic auth, as well as modify SDK verification logic and API routes.
Sanitization: While the skill advises validating JSON/YAML before parsing, it does not provide mechanisms to sanitize natural language instructions embedded within that data.
[Unverifiable Dependencies] (MEDIUM): The skill instructs the agent to install and use packages @belticlabs/kya and beltic-sdk. These are not from a trusted source organization defined in the security scope, posing a supply-chain risk.
[Command Execution] (LOW): The skill guides the agent through numerous CLI operations (beltic init, keygen, sign, etc.). The risk is mitigated by explicit instructions requiring the agent to obtain user confirmation before any sensitive operation.
[No Code] (SAFE): The skill consists entirely of markdown documentation and guidance; it does not contain any executable scripts, binaries, or obfuscated code blocks.

beltic-kya