The Agent Skills Directory

[DATA_EXFILTRATION]: The ConstructionEmailSender class in SKILL.md contains a send method that programmatically reads files from the local filesystem and attaches them to outgoing emails. Because the skill requests filesystem permissions in claw.json, an attacker could potentially exploit the agent to exfiltrate sensitive files (such as SSH keys, environmental variables, or configuration files) by tricking the agent into adding those file paths to the attachments list.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. The instructions.md file directs the agent to accept and process project data from external formats like CSV, Excel, and JSON. The Python logic in SKILL.md (e.g., generate_rfi_response_email) uses f-strings to directly interpolate user-provided content into email bodies without any sanitization or boundary markers. Malicious instructions embedded within a processed Excel log or RFI query could lead the agent to ignore its primary task or execute unintended actions.
[CREDENTIALS_UNSAFE]: The ConstructionEmailSender class is designed to handle SMTP authentication using a username and password. While the code snippets provide a functional template, the architecture requires the agent to manage plaintext credentials in its environment or context to perform its core function, increasing the risk of credential exposure if the agent's memory is accessed through prompt injection.

email-construction