The Agent Skills Directory

Data Exposure & Exfiltration (LOW): The documentation in references/files.md details a feature where local file paths provided in input objects are automatically uploaded to the remote inference server. This mechanism could be abused to exfiltrate sensitive files (e.g., SSH keys, AWS credentials) if an agent is manipulated into specifying unauthorized local paths. This finding is categorized as LOW because it is a documented primary feature of the SDK, but represents an inherent risk in agentic workflows.
Indirect Prompt Injection (LOW): The skill is designed to ingest and process untrusted external data, creating a vulnerability to indirect prompt injection.
Ingestion points: Untrusted data enters the context via external URLs in client.run and file attachments in agent.sendMessage (as seen in references/files.md).
Boundary markers: The documentation lacks examples of using delimiters or instructions to prevent the agent from obeying commands embedded within processed files or URL content.
Capability inventory: The SDK provides the ability to execute remote apps, manage sessions, and perform filesystem reads/uploads, which could be leveraged if an injection is successful.
Sanitization: There is no evidence of content sanitization or validation of external data before it is passed to the underlying models.

javascript-sdk