The Agent Skills Directory

[PROMPT_INJECTION]: The skill processes untrusted data originating from external users, such as URL query parameters, search terms, and navigation breadcrumbs. This creates a surface for indirect prompt injection where an attacker could navigate to specific URLs or perform searches containing malicious instructions designed to manipulate the AI agent's analysis or output.
Ingestion points: In SKILL.md, the tools search_events, get_replay_details, and get_sentry_resource fetch user-controlled strings like URLs, search queries, and activity breadcrumbs.
Boundary markers: No specific delimiters or boundary markers are instructed to be used when interpolating this untrusted data into the agent's context.
Capability inventory: The skill uses search_events, get_replay_details, search_issues, and get_sentry_resource (all tools in SKILL.md). These are restricted metadata retrieval tools within the Sentry platform and do not include arbitrary command execution or file system writes.
Sanitization: The instructions include a requirement to anonymize user email addresses, but there is no mention of sanitizing or escaping the text content of URLs or breadcrumbs to prevent injection.

replay-ux-research