The Agent Skills Directory

[PROMPT_INJECTION]: Susceptibility to indirect prompt injection due to the processing of untrusted skill definitions. * Ingestion points: The skill reads SKILL.md and various files from user-specified directories during the audit process. * Boundary markers: There are no explicit delimiters or instructions provided to the agent to treat audited content as untrusted or to ignore potential instructions embedded within those files. * Capability inventory: The skill has permissions to overwrite SKILL.md, create files in the references/ directory, and generate executable shell or Python scripts in the scripts/ directory. * Sanitization: No sanitization or verification process is defined for content extracted from target skills before it is used to modify or create files.
[COMMAND_EXECUTION]: The skill can generate and save new shell or Python scripts to the local filesystem based on operations described in the audited skill's text, which could lead to the creation of malicious tools if the source content is compromised.

audit-skill