The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill is designed to ingest external, untrusted content (Phase 1: Error messages, logs, stack traces, and git diffs) while possessing high-privilege write/execute capabilities.
Ingestion points: SKILL.md (Phase 1) directs the agent to ingest error logs and multi-component boundary data.
Capability inventory: The skill utilizes npm test (via find-polluter.sh), git init, and sensitive system commands (security, codesign).
Boundary markers: Absent. The agent has no mechanism to distinguish between legitimate logs and malicious instructions embedded within them.
Sanitization: Absent. Data from external components is processed directly into decision-making and command-line execution.
Command Execution & RCE (HIGH): The script find-polluter.sh executes npm test "$TEST_FILE" within a loop based on shell-expanded patterns. If a project contains malicious test files or if file paths are manipulated, this results in arbitrary code execution in the agent's environment.
Data Exposure & Exfiltration (MEDIUM): SKILL.md provides examples for diagnostic instrumentation that expose highly sensitive system information.
Evidence: security list-keychains, security find-identity -v, and env | grep IDENTITY. While intended for build debugging, these commands expose credentials and cryptographic identities to the agent's context, which could be exfiltrated if a network-capable tool is used subsequently.
Prompt Injection (LOW): The files test-pressure-1.md, test-pressure-2.md, and test-pressure-3.md utilize scenario-based framing and social pressure (e.g., 'Revenue loss: $15,000/minute', 'Senior engineer annoyed') to influence the agent's adherence to its internal process. While these are validation tests, they mimic adversarial prompt techniques designed to force specific behaviors.

systematic-debugging