The Agent Skills Directory

[Unverifiable Dependencies] (HIGH): The skill explicitly requires non-existent versions of the OpenAI SDK in multiple files:
templates/package.json specifies "openai": "^6.7.0".
rules/openai-api.md claims the project uses openai@6.9.1.
Evidence: As of current legitimate SDK releases (v4.x), these versions do not exist. This creates a critical supply-chain vulnerability where an attacker could publish a malicious package with these version numbers to npm, leading to arbitrary code execution during installation via npm install.
[Indirect Prompt Injection] (HIGH): The skill handles untrusted external data and feeds it directly into LLM prompts without safety controls.
Ingestion points: templates/embeddings.ts (processes knowledge base documents), templates/function-calling.ts (processes search results via search_web), and templates/audio-transcription.ts (processes audio files).
Capability inventory: The skill uses openai.chat.completions.create and executes local tool logic (getWeather, searchWeb) based on LLM output influenced by this data.
Boundary markers: Absent. The templates use simple string interpolation (e.g., `Answer the question using the following context:\n\n${context}`) without XML tags or delimiters.
Sanitization: None. External content is used raw, allowing an attacker to embed instructions in documents or search results to hijack the agent's behavior.
[Metadata Poisoning] (MEDIUM): The skill contains deceptive claims in README.md and .claude-plugin/plugin.json regarding support for "GPT-5," "GPT-5.2," and "Nov 2025" updates. This misinformation could lead users to trust the skill's security claims or performance based on non-existent capabilities.
[Command Execution] (LOW): scripts/check-versions.sh executes shell commands (npm list, npm view) to check package status. While benign in its current form, it represents a surface for script manipulation if modified.

openai-api