The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to the way it processes external and user-supplied data.
Ingestion points: The SKILL.md file interpolates the $ARGUMENTS variable directly into the instruction context. Furthermore, the paseo chat read command (referenced in SKILL.md) ingests messages from a shared chat environment.
Boundary markers: There are no delimiters, such as XML tags or markdown blocks, or specific instructions for the agent to ignore embedded commands within the interpolated arguments or chat outputs.
Capability inventory: The agent has the capability to execute shell commands via the paseo CLI tool.
Sanitization: No sanitization, escaping, or validation mechanisms are defined for the ingested chat content or user arguments.
[DATA_EXFILTRATION]: The skill documents the use of paseo chat post to send information to an external chat service. While this is the intended functionality for coordination, it creates a risk where a compromised or manipulated agent could be instructed to post sensitive environment variables, secrets, or internal file contents into a shared room.

paseo-chat