The Agent Skills Directory

[PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection in 'MODE 2: Generate Skill'. It accepts free-form descriptions from users to generate new SKILL.md files. Without explicit sanitization or boundary markers between the user input and the generated instruction set, an attacker could provide a description that results in a generated skill containing malicious prompt injections or dangerous directives.
Ingestion points: User-provided free-form description in MODE 2 ('Input' section of Generation Workflow).
Boundary markers: Absent; the workflow does not specify delimiters or warnings to ignore instructions within the user-provided description when generating the new skill.
Capability inventory: File writing (.skills/custom/{name}/SKILL.md), registry modification (.skills/AGENTS.md), and project structure scanning.
Sanitization: Not mentioned; the process resolves templates or generates from scratch based on raw description relevance.
[DATA_EXFILTRATION]: In 'MODE 1: Full Analysis', the skill performs an extensive scan of the project environment, accessing configuration files such as .github/workflows/, docker-compose.yml, and database models. While this is used for 'Gap Analysis', the breadth of project metadata being read represents a significant data exposure if the skill's logic is ever compromised or directed to send this metadata externally.
[COMMAND_EXECUTION]: The skill has the capability to write and modify files on the local filesystem, specifically creating new executable instructions (SKILL.md files) and updating the central skill registry. This automated 'Register' step ensures any generated content—including potentially malicious ones—is immediately integrated into the agent's active execution environment.

skill-manager