The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill's primary function involves processing data that may originate from untrusted external sources (shared decks or media) while the agent maintains significant capabilities to modify the environment.
Ingestion points: The skill uses findNotes, notesInfo, findCards, and cardsInfo to read arbitrary card and note content into the agent's context.
Boundary markers: There are no instructions or delimiters defined to help the agent distinguish between its own system instructions and the content retrieved from the Anki database.
Capability inventory: The agent has the authority to execute shell commands (curl, jq), perform file-system-impacting modifications (adding/deleting/updating notes), and fetch external data via the storeMediaFile URL parameter.
Sanitization: While the skill recommends jq --arg for structural JSON integrity, this does not sanitize the semantic content of the data, leaving the agent vulnerable to instructions embedded within note fields.
Command Execution (LOW): The skill relies on direct execution of shell commands for all operations.
Evidence: SKILL.md provides multiple templates for executing curl and jq pipelines. While these are standard tools, their use increases the impact of any successful prompt injection.
Data Exposure & Exfiltration (LOW): The skill is designed to read potentially sensitive personal data from a local database.
Evidence: The notesInfo and retrieveMediaFile actions provide access to the user's entire Anki collection. Although the skill primarily communicates with 127.0.0.1, the storeMediaFile action's url parameter allows for arbitrary outbound GET requests which could be abused for exfiltration if the agent is compromised.

anki-connect