The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: Documentation examples in references/tool-builder.md and references/agent-patterns.md demonstrate the use of the Python eval() function to process user-provided strings for a calculator tool. This pattern is highly insecure as it allows for arbitrary code execution if an attacker can influence the tool input.
[COMMAND_EXECUTION]: The skill configuration in SKILL.md permits the execution of pip install for the vendor package and arbitrary Python commands via Bash(python *). This provides the agent with extensive control over the environment and the ability to run arbitrary logic.
[DATA_EXFILTRATION]: The SDK includes built-in methods for uploading files to the platform and calling external webhooks. While intended for legitimate integration, these features provide a mechanism for moving data from the local environment to remote servers.
[PROMPT_INJECTION]: The skill is designed to process external inputs through its SDK methods and tool definitions, creating a surface for indirect prompt injection.
Ingestion points: Data enters through client.run inputs, agent.send_message files/content, and webhook_tool responses.
Boundary markers: The documentation does not specify the use of strict delimiters or instructions to ignore embedded commands for these inputs.
Capability inventory: Access to file uploads, webhooks, and arbitrary Python execution provides high-impact actions for an injected prompt to exploit.
Sanitization: The skill promotes a human-in-the-loop workflow as a mitigation, which serves as a manual checkpoint against malicious tool calls.

python-sdk