The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it instructs the agent to process untrusted repository content (code, comments, docs) to update documentation without boundary markers.
Ingestion points: Repository files (source code, config, manifests) as defined in SKILL.md and prompt-template.md.
Boundary markers: Absent; no delimiters are used to wrap ingested content.
Capability inventory: Includes file-read, file-write, and potential command execution.
Sanitization: Absent; no filtering of repository data is specified.
[COMMAND_EXECUTION]: The instructions direct the agent to check 'command help text' and 'scripts' to ensure documentation accuracy. This implies the execution of binaries or scripts within the repository to capture their output (e.g., running '--help' flags), which could execute malicious code if the repository contains compromised scripts.
[DATA_EXFILTRATION]: The workflow requires the agent to inspect sensitive repository files, such as configuration manifests and environment examples. While the skill does not explicitly exfiltrate data, the broad read access combined with the task of rewriting documentation increases the risk that sensitive internal details could be inadvertently included in the generated output.

refresh-project-docs