The Agent Skills Directory

[Indirect Prompt Injection] (MEDIUM): The skill is designed to ingest untrusted external data (NetCDF files) and extract attributes that are then presented back to the agent or written to disk.
Ingestion points: The scripts/extract_netcdf_metadata.py script uses xarray.open_dataset to read user-provided NetCDF files.
Boundary markers: Absent. There are no delimiters or instructions provided to the agent to treat the extracted metadata attributes as potentially untrusted content.
Capability inventory: The skill possesses the capability to write files to the local system (.metadata.csv) and suggests patterns for command execution via subprocess.run and shell commands.
Sanitization: Absent. Variable attributes (e.g., units, long_name) are stringified and written directly to CSV without filtering. A malicious NetCDF file could contain prompt injection strings within these attributes designed to hijack the agent's logic when it later processes the CSV output.
[Command Execution] (MEDIUM): The SKILL.md documentation provides code patterns for using subprocess.run to call the ncgen utility. If an agent follows these patterns using unsanitized filenames from an untrusted source, it could lead to command injection or unauthorized file manipulation.
[External Downloads] (LOW): The skill documentation suggests installing system-level packages (netcdf-bin, netcdf) and Python dependencies using uv or apt. While these are standard for the domain, they represent an external dependency risk if not managed via a secure supply chain.

netcdf-metadata