The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill's core functionality involves ingesting and processing untrusted data from external software repositories, creating a significant attack surface for indirect prompt injection.
Ingestion points: SKILL.md (Workflows 1, 2, 4, 5) instructs the agent to use read_file, grep_search, and semantic_search to consume content from repository files, including READMEs and source code.
Boundary markers: The instructions do not define delimiters or provide 'ignore instructions' warnings when processing this untrusted content, allowing embedded malicious prompts to potentially hijack the agent's logic.
Capability inventory: The agent possesses file system access and search tools. A malicious repository could use documentation to trick the agent into mischaracterizing the software or attempting unauthorized file access.
Sanitization: There is no evidence of sanitization, filtering, or validation logic for the external data being processed.
Data Exposure (LOW): As part of its 'Security Focus', the skill encourages the agent to search for hardcoded secrets and sensitive configuration files like .env or credentials. While this is a functional feature for a research tool, it involves handling sensitive data which could be exposed if the agent's output is not properly restricted.

software-tool-research