The Agent Skills Directory

[DATA_EXFILTRATION]: The skill directs the agent to access and inspect files and repositories containing sensitive credentials and infrastructure access information.
It specifically points the agent to files such as /Users/devin/dev/repos/serp-server/docs/ACCESS.md and /Users/devin/dev/repos/serp-server/docs/JUPYTER-TOKEN-ACCESS.md for server and infrastructure access.
It directs the agent to a repository dedicated to secrets, environment values, and tokens located at /Users/devin/dev/repos/secrets.serp.co/.
It references local documentation files (e.g., docs/REPOS.local.md) that may contain environment variable configurations or sensitive machine-local notes.
[COMMAND_EXECUTION]: The skill includes pre-defined commands designed to search for sensitive patterns across local repositories.
It provides ripgrep (rg) commands specifically targeting strings like "JUPYTER", "ACCESS", "infra", and "secrets" within documentation directories.
It suggests the use of git commands to inspect remote branches and repository states, which could be leveraged to explore non-public code and configurations.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it instructs the agent to ingest and act upon content from a wide variety of documentation and repository files without proper sanitization.
Ingestion points: Multiple local and external files including README.md, docs/REPOS.local.md, docs/REPOS.md, and various files within the serp-server and secrets.serp.co repositories.
Boundary markers: Absent. The skill provides no instructions on how to delimit file content or distinguish it from the agent's core instructions.
Capability inventory: File system read access, execution of the rg (ripgrep) tool, and execution of git commands.
Sanitization: Absent. There is no evidence of validation, filtering, or escaping of the content read from external files before it is processed by the agent's context.

serp-toc