The Agent Skills Directory

[DATA_EXFILTRATION]: The skill implements a feature to read local files via absolute paths (file:<ABS_PATH>). This functionality allows the agent to access sensitive files on the host system, such as SSH keys, configuration files, or system logs, if an attacker provides a malicious path as a bug report source.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes data from external and untrusted sources.
Ingestion points: Data enters the agent context through linear:<ISSUE_KEY> fetches, local file reading via file:<ABS_PATH>, and pasted text.
Boundary markers: No specific delimiters or safety instructions are defined to separate untrusted bug report content from the agent's internal logic.
Capability inventory: The agent has the capability to execute browser automation (Playwright), run SQL queries against local and production databases (Supabase), and read the local filesystem.
Sanitization: There is no evidence of sanitization, filtering, or validation of the input data before it is processed by the analysis lanes.
[COMMAND_EXECUTION]: The database lane performs dynamic data probes against local and production environments. While instructions specify 'read-only' access, the execution of queries derived from potentially malicious bug report content presents a risk of unauthorized data discovery or schema exploration.

bug-report-root-cause