The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill documentation in SKILL.md demonstrates the use of joblib.load() for loading trained models. This function is inherently unsafe for loading data from untrusted sources as it can lead to arbitrary code execution.
Evidence: The load_models method in the ChangeOrderPredictor class uses joblib.load(path) to restore the state of the classifiers and predictors.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests and processes untrusted data from users.
Ingestion points: Untrusted data enters via CSV, Excel, or JSON files and text descriptions of change orders as described in instructions.md and SKILL.md (specifically the train and predict methods in ChangeOrderPredictor).
Boundary markers: The skill lacks explicit instructions or delimiters to prevent the agent from being influenced by commands embedded within the input data.
Capability inventory: The skill has filesystem access to read and write files (via pandas, joblib, and openpyxl), which could be abused if an injection attack is successful.
Sanitization: There is no evidence of input validation or sanitization to filter out executable patterns or instructional overrides in the text-based descriptions.

change-order-analysis