The Agent Skills Directory

Indirect Prompt Injection (HIGH): The core protocol relies on agents reading 'handoff' files (.yaml) to understand their tasks and context. These files contain natural language fields such as summary, task, and context.
Ingestion points: SKILL.md instructs agents to use cat <provided-path> and recursive parent lookups during startup.
Boundary markers: Absent. There are no instructions to treat the YAML content as untrusted or to wrap it in delimiters.
Capability inventory: The targeted agents (Rust developers, architects, CI/CD) typically possess high-privilege capabilities including file system modification, command execution (cargo), and network access.
Sanitization: Absent. The skill provides no mechanism to validate or escape the content of the handoff files before they influence the agent's logic.
Command Execution & Path Traversal (MEDIUM): The 'Reading Parent Context' section in SKILL.md provides bash snippets that are vulnerable to path traversal.
Evidence: cat ".local/handoff/${PARENT_ID}.yaml" where PARENT_ID is extracted directly from the parent: field of a YAML file. A malicious actor could set the parent field to ../../../../etc/passwd or similar to trick the agent into reading sensitive system files during its initialization phase.

rust-agent-handoff