The Agent Skills Directory

[PROMPT_INJECTION]: The ai_screening component is susceptible to indirect prompt injection because it interpolates untrusted external data ({resume_text}) directly into an LLM prompt.
Ingestion points: The {resume_text} variable in SKILL.md which processes candidate-provided resumes.
Boundary markers: No delimiters (e.g., XML tags or triple quotes) or 'ignore embedded instructions' warnings are present to isolate the untrusted resume content.
Capability inventory: The skill utilizes greenhouse_api, workday_api, and bamboohr_api through the hr-mcp server, granting the agent capability to modify employee and candidate records in core HR systems.
Sanitization: No sanitization, escaping, or validation logic is defined for the external resume content before processing.
[DATA_EXFILTRATION]: The skill's primary workflows (onboarding and document compliance) involve the collection and processing of highly sensitive data.
Evidence: The onboarding_workflow and document_compliance sections in SKILL.md explicitly mention handling id, tax_forms, and direct_deposit (banking) information.
Risk: While no malicious network exfiltration to unauthorized domains was detected, the inherent access to these sensitive data points combined with the indirect prompt injection surface increases the risk of unauthorized data exposure or manipulation.

hr-automation