The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill is highly vulnerable to indirect prompt injection because it pairs external data ingestion tools with powerful system-level capabilities.
Ingestion points: External content is brought into the agent's context via mcp__firecrawl__firecrawl_search and WebFetch.
Boundary markers: Absent. The instructions do not define delimiters or provide warnings to the agent to ignore instructions embedded in the data it retrieves from the web.
Capability inventory: The skill allows Bash(python:*, pip:*), Write, and Edit. If an attacker-controlled website is processed via Firecrawl, it could inject instructions that the agent then executes via the Bash or file-writing tools.
Sanitization: Absent. No sanitization or validation logic is defined for data fetched from external URLs.
Command Execution (HIGH): The skill's manifest grants broad Bash access with wildcards for python and pip. This allows the agent to execute any Python script or install any package, which is a high-risk capability when combined with untrusted external input.
External Downloads (LOW): The skill requires the installation of several Python packages (librosa, torch, transformers, praat-parselmouth). While these are reputable libraries for the stated purpose, the pip:* permission allows for the installation of unverified or malicious packages if the agent is compromised via injection.

speech-pathology-ai