The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill's primary purpose is to ingest untrusted data from external files (CSV, JSON, LOG, etc.) and present previews or summaries to the agent. This creates a high-risk surface for indirect prompt injection.
Ingestion Points: scripts/quick_inspect.py (lines 14, 31, 48) and scripts/summarize.py (line 21) read and process external file content.
Boundary Markers: None. The instructions in SKILL.md do not require the agent to wrap external content in delimiters or include 'ignore instructions' warnings.
Capability Inventory: The skill has access to the bash tool with permissions for python, cat, and other utilities, allowing it to perform side effects based on agent reasoning.
Sanitization: No sanitization or filtering is performed on the file content before it is summarized and returned to the agent's context.
Command Execution (HIGH): The instructions in SKILL.md (Steps 1 and 3) recommend executing bash commands by interpolating a file path into a string: python scripts/estimate_size.py "<file_path>". If the <file_path> provided by a user contains shell metacharacters (e.g., "; python -c '...' ; "), it could lead to arbitrary command execution within the bash tool environment, especially if the agent does not strictly sanitize the input variable.
Metadata Poisoning (LOW): The skill includes instructions like 'Return a safe preview and summary without asking the user what to do' and 'Act immediately'. While intended for automation, these instructions encourage the agent to bypass human-in-the-loop checks when handling potentially malicious external data.

dont-be-greedy