The Agent Skills Directory

[PROMPT_INJECTION] (HIGH): The skill implements a pattern of direct instruction interpolation. In SKILL.md, the backend code constructs an agent's instructions by concatenating conversation history and user/page metadata: instructions=f"{history_str}\nUser: {user_info.get('name')}\n{system_prompt}".
Evidence: This merges control-plane instructions with data-plane content (untrusted user input and historical context) without boundary markers or sanitization.
[CREDENTIALS_UNSAFE] (HIGH): The MCP Tool Authentication section recommends injecting raw access tokens into the LLM's system prompt.
Evidence: SYSTEM_PROMPT = "... Access Token: {access_token} ...". This makes the token accessible to the model, where it can be leaked via prompt injection or accidentally included in tool calls to untrusted endpoints.
[INDIRECT_PROMPT_INJECTION] (HIGH): The skill creates a significant attack surface by ingesting untrusted external data and providing the agent with execution capabilities.
Ingestion Points: pageContext (containing page descriptions and headings extracted from the DOM in the frontend) and history_str (from the database) are injected into the backend agent instructions.
Boundary Markers: None. No delimiters or "ignore instructions" warnings are present in the interpolation logic.
Capability Inventory: The agent uses Runner.run_streamed and is configured with tools (your_search_tool), allowing injected instructions to trigger side effects.
Sanitization: None. The DOM content is extracted and sent directly to the backend without filtering.
[EXTERNAL_DOWNLOADS] (LOW): The skill loads a remote script from an OpenAI CDN.
Evidence: https://cdn.platform.openai.com/deployments/chatkit/chatkit.js is loaded via a Next.js Script component. While from a trusted organization (OpenAI), it represents a runtime dependency on external code.

building-chat-interfaces