The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill analyzes untrusted local files to determine the project's backend stack, creating a significant attack surface.
Ingestion points: The skill uses Glob and Grep to read content from files such as go.mod, Cargo.toml, pom.xml, and others. Specifically, the command Grep("postgres|mysql|mongodb", "**/*") scans all files in the directory for database strings.
Capability inventory: The skill is granted Bash, Write, Edit, and Skill tools, enabling it to execute arbitrary shell commands and modify the file system.
Boundary markers: No boundary markers or delimiters are defined to separate the data being read from the instructions the agent should follow.
Sanitization: There is no evidence of sanitization or logic to prevent instructions embedded within scanned files from overriding the agent's system prompt or behavior.
[Command Execution] (HIGH): The inclusion of the Bash tool in allowed-tools is a high-risk capability. When combined with the skill's behavior of scanning untrusted files, it facilitates potential Remote Code Execution (RCE) if an attacker successfully injects instructions into the project codebase that the agent subsequently executes via the shell.

faion-backend-developer