authentication-flow

The skill 'authentication-flow' is primarily a documentation skill, presented as a markdown file (SKILL.md) with several supporting reference markdown files (reference/current.md, reference/passwordless.md, reference/sessions.md). It describes how to implement an authentication system in Rails 8 using built-in features.

1. Prompt Injection: No patterns indicative of prompt injection were found in any of the files, including the skill's name, description, or content.
2. Data Exfiltration: There are no commands or code snippets that attempt to read sensitive files (e.g., ~/.aws/credentials, ~/.ssh/id_rsa) or exfiltrate data to external, non-whitelisted domains. All network-related activities described are within the context of a Rails application's normal operation (e.g., sending magic links via email, handling session cookies).
3. Obfuscation: No obfuscation techniques (Base64, zero-width characters, homoglyphs, URL/hex/HTML encoding) were detected in any of the files.
4. Unverifiable Dependencies: The skill describes using standard Rails features and generators (bin/rails generate authentication, has_secure_password, ActiveSupport::CurrentAttributes, SecureRandom). It does not instruct the agent to install external, unverified packages via npm, pip, or similar package managers. Therefore, there are no unverifiable dependencies.
5. Privilege Escalation: No commands like sudo, chmod 777, or attempts to install system-level services were found.
6. Persistence Mechanisms: No attempts to modify user shell configurations (.bashrc, .zshrc), create cron jobs, or establish other persistence mechanisms were detected.
7. Metadata Poisoning: The skill's metadata (name, description) is clean and accurately reflects its purpose.
8. Indirect Prompt Injection: As a descriptive skill, it does not directly process external user input in a way that would expose the AI to indirect prompt injection. The described authentication system, if implemented, would handle user input, but the skill itself is not performing this action.
9. Time-Delayed / Conditional Attacks: No conditional logic designed to trigger malicious behavior based on time, usage, or environment was found.

Adversarial Reasoning: The skill's allowed-tools include Bash, Read, Write, Edit, Glob, and Grep. While Bash is a powerful tool that could be misused if the agent were given malicious instructions, the skill's content itself only provides benign, standard Rails bash commands (bin/rails generate authentication, bin/rails db:migrate) as examples for the user to execute. The skill's primary function is to provide information and code examples, not to execute arbitrary commands. The code snippets provided are focused on secure authentication practices, including secure cookie settings, session expiration, and rate limiting.

Conclusion: The skill is a well-documented guide for implementing a secure authentication system. Its content is clean and does not pose any direct security threats. The potential risk associated with the Bash tool is inherent to its inclusion in allowed-tools for any skill, but this skill does not exploit it maliciously.