The Agent Skills Directory

[COMMAND_EXECUTION]: The skill references a mechanism for dynamic loading of instructions. In the 'Execution Protocol' section of SKILL.md, it states that vendor-specific execution protocols are injected from paths like ../_shared/runtime/execution-protocols/{vendor}.md. Loading content from computed paths at runtime is a risk factor as it could potentially be exploited for path traversal or loading unintended instruction files if the vendor variable is improperly sanitized or comes from an untrusted source.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. Since its primary function is to process and translate untrusted text provided by users, malicious instructions could be embedded within the source content. The current instructions lack explicit sanitization steps or robust boundary markers to prevent the agent from accidentally executing commands or overriding its core rules when analyzing or reconstructing the target text. Evidence of this risk surface exists in the 'Stage 1: Analyze Source' and 'Stage 3: Reconstruct' sections, where external data is directly integrated into the agent's reasoning process.

oma-translator