The Agent Skills Directory

Data Exposure & Exfiltration (HIGH): The create_asset and update_asset tools explicitly support local file paths (e.g., /path/to/file) and file:// URLs in the fileUrl and newFileUrl parameters.
Evidence: In create_asset.md, the documentation states it supports 'Local file paths (e.g., /path/to/file.jpg)' and 'Local file:// URLs'.
Risk: An attacker could use indirect prompt injection to trick the agent into reading sensitive files like ~/.aws/credentials, /etc/passwd, or .env files and 'uploading' them as assets to the CMS, where they may become accessible via public URLs.
Command Execution (MEDIUM): The SKILL.md file contains instructions that may lead the agent to execute shell commands for plugin management.
Evidence: 'The skills plugin must be installed... install it with php craft plugin/install skills'.
Indirect Prompt Injection (LOW): The skill has a large attack surface as it is designed to ingest and process content from a CMS, which is considered untrusted data.
Ingestion points: get_entry.md, search_content.md, and get_fields.md retrieve data from the CMS database.
Boundary markers: None mentioned; the agent is not instructed to ignore instructions within the retrieved content.
Capability inventory: Includes file read/write via create_asset, entry deletion via delete_entry, and layout modification.
Sanitization: No explicit mention of sanitizing or escaping content before processing.
External Downloads (LOW): The create_asset tool allows downloading files from arbitrary remote HTTP/HTTPS URLs.
Evidence: create_asset.md supports 'Remote http:// or https:// URLs'.
Risk: This enables Server-Side Request Forgery (SSRF) if the agent is directed to request internal metadata services or private network resources.

Craft CMS Skills