The Agent Skills Directory

[PROMPT_INJECTION]: The skill metadata contains misleading information regarding its origin. The frontmatter in SKILL.md identifies the author as 'Google', which contradicts the actual skill authorship ('eliasecchig'). This is a form of metadata poisoning that can lead users to over-trust the skill's instructions and security posture.
[PROMPT_INJECTION]: A code example in references/multimodal-eval.md for a custom evaluation metric creates a significant surface for indirect prompt injection.
Ingestion points: Untrusted agent output is collected from actual.final_response.parts and interpolated directly into a prompt for a judge model.
Boundary markers: The implementation uses only basic newline delimiters (\n\nAgent response:) which do not reliably isolate the untrusted content from the judge's instructions.
Capability inventory: The script utilizes the google-genai SDK (client.aio.models.generate_content) to execute model calls based on the poisoned prompt.
Sanitization: The code example lacks any form of input sanitization, escaping, or validation for the agent-generated text before it is processed by the judge.
[COMMAND_EXECUTION]: The skill instructions and examples promote the execution of various CLI commands and the dynamic loading of Python code.
Evidence: SKILL.md and references/criteria-guide.md describe running evaluations via adk eval and make eval, and explain how to configure custom_metrics in test_config.json by providing Python module paths that are loaded and executed at runtime.

adk-eval-guide