The Agent Skills Directory

PROMPT_INJECTION (HIGH): The skill exhibits a significant indirect prompt injection surface by processing external, untrusted content to drive its code generation capabilities.
Ingestion points: The agent reads references/llms-full.txt, references/llms.txt, and references/get-started-python.md, which are updated via a script fetching data from the internet.
Boundary markers: Absent. The agent is instructed to treat these files as authoritative sources for implementation and architecture without delimiters or 'ignore embedded instructions' warnings.
Capability inventory: The skill has high-privilege 'Code Implementation' and 'Architecture Design' capabilities, meaning injected instructions in documentation could lead to the generation of malicious code or backdoors.
Sanitization: Absent. The skill does not validate or sanitize the external content before interpolating it into its reasoning cycle.
EXTERNAL_DOWNLOADS (LOW): The scripts/update-references.sh script performs remote downloads using curl to overwrite local reference files.
Evidence: curl -sL https://raw.githubusercontent.com/google/adk-python/... and curl -sL https://raw.githubusercontent.com/google/adk-docs/....
Trust Evaluation: The source organization (google) is a Trusted External Source, downgrading the severity of the download itself to LOW per [TRUST-SCOPE-RULE].
CREDENTIALS_UNSAFE (LOW): Both the skill instructions and the 'Getting Started' guide encourage users to store sensitive API keys and project IDs in .env files and environment variables.
Evidence: Instructions in SKILL.md for export GOOGLE_CLOUD_PROJECT and command in get-started-python.md to echo 'GOOGLE_API_KEY=...' > .env.
Risk: While standard for local development, this introduces a risk of accidental credential exposure if the .env file is improperly managed or committed to version control.

adk-expert