The Agent Skills Directory

[PROMPT_INJECTION]: The skill implements a conversation loop where user input is directly appended to the message history without delimiters or boundary markers. This creates a surface for indirect prompt injection where a user might attempt to override the system prompt instructions.
Ingestion points: The user_message parameter in the run_agent_loop function (SKILL.md) is the primary entry point for untrusted data.
Boundary markers: The implementation does not use any delimiters (such as XML tags or triple quotes) to separate user content from system instructions.
Capability inventory: The agent has the capability to execute any function defined in the TOOL_FUNCTIONS map, including database queries (query_genie) and price calculations.
Sanitization: There is no evidence of input validation, escaping, or filtering applied to the user_message before it is sent to the LLM.
[COMMAND_EXECUTION]: The skill uses a dispatch map (TOOL_FUNCTIONS) to execute local code based on model output. While this is restricted to a specific set of functions, it represents the primary mechanism through which an injected prompt could cause the agent to perform unintended actions.
[EXTERNAL_DOWNLOADS]: The code uses the requests library to make HTTP POST requests to Databricks-hosted serving endpoints. These requests are authenticated using the official databricks-sdk and target legitimate Databricks infrastructure.

foundation-model-agent-loop