The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it retrieves and processes untrusted content from external sources. Specifically, it reads customer email bodies from the sys_email table and case descriptions from the sn_customerservice_case table.
Ingestion points: Untrusted data enters the agent's context through queries to the sys_email and sn_customerservice_case tables (Steps 1 and 2).
Boundary markers: The instructions do not include boundary markers or delimiters (such as XML tags or explicit 'ignore embedded instructions' prompts) when processing the retrieved text, which could allow an attacker to influence the agent's behavior via malicious text in a support ticket or email.
Capability inventory: The skill possesses capabilities for tool execution (including Bash and several ServiceNow REST API endpoints) and content generation.
Sanitization: There is no evidence of sanitization or validation of the ingested external content before it is used to generate recommendations.
[DATA_EXFILTRATION]: The skill accesses personally identifiable information (PII) including customer names, phone numbers, and email addresses from the customer_contact and sys_email tables. While this behavior is consistent with the primary purpose of a customer service management tool, it represents a data exposure surface that would be targeted in the event of an agent compromise.

email-recommendation