The Agent Skills Directory

[PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection due to its core functionality of ingesting and summarizing untrusted data from multiple enterprise sources.
Ingestion points: The workflow instructions in 'examples/3p-updates.md', 'examples/company-newsletter.md', and 'examples/faq-answers.md' explicitly direct the agent to read content from Slack, Email, Google Drive, Calendar events, and corporate documents.
Boundary markers: There are no defined delimiters (e.g., XML tags) or system instructions that mandate the agent to ignore or isolate embedded commands within the processed data.
Capability inventory: The skill is granted access to high-privilege tools including 'Bash', 'WebFetch', 'Write', and 'Edit'.
Sanitization: No sanitization, validation, or filtering logic is prescribed before the ingested data is processed by the AI or passed to tools.
[COMMAND_EXECUTION]: The skill requests access to the 'Bash' tool in its 'SKILL.md' configuration. While no specific malicious commands are present in the skill's source, providing shell access to an agent that processes untrusted external messages creates a risk where an attacker could trigger arbitrary command execution through a malicious Slack message or email.
[DATA_EXFILTRATION]: The inclusion of the 'WebFetch' tool allows the agent to make outbound network requests. When combined with access to sensitive organizational data (Slack, Email, Documents), a successful prompt injection could be used to exfiltrate proprietary information to an external server controlled by an attacker.

moai-internal-comms