The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from external sources (CSV, Excel, JSON) without implementing boundary markers or sanitization logic. This could allow malicious instructions embedded in the data to influence the agent's behavior.
Ingestion points: Data enters the context via user-provided files as specified in instructions.md and processed in SKILL.md via extract_from_dataframe.
Boundary markers: No delimiters or instructions to ignore embedded commands are present.
Capability inventory: The skill can write to the filesystem and generate SQL strings.
Sanitization: No validation or escaping is applied to external content before processing.
[COMMAND_EXECUTION]: The generate_sql_query method in SKILL.md uses f-string interpolation to construct SQL statements. It lacks sanitization for table names, column names, and filter values, creating a SQL injection vulnerability if these parameters are derived from untrusted user input.
[DATA_EXFILTRATION]: The skill requests filesystem permissions and implements methods for exporting data to local paths (export_to_excel, export_to_json). While intended for legitimate reporting, these capabilities could be misused to write data to sensitive or unauthorized locations if the destination paths are controlled by an attacker or a malicious prompt.

erp-data-extractor