The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill is highly susceptible to indirect prompt injection because it fetches external, attacker-influenceable content from GitHub READMEs and official documentation sites to generate 'directly runnable' code examples and operational steps.
Ingestion Points: Uses webReader to fetch content from docs.featbit.co and various GitHub repositories (e.g., featbit-dotnet-sdk).
Boundary Markers: Absent. The instructions do not define delimiters for fetched content nor do they command the agent to ignore embedded instructions within the documentation.
Capability Inventory: The agent is instructed to provide 'directly runnable code' and 'operational steps' based on the fetched data. This capability, combined with untrusted input, allows an attacker who can modify a README or documentation page to deliver malicious payloads to the user.
Sanitization: Absent. There is no evidence of validation or filtering of the content retrieved via webReader.
Command Execution (MEDIUM): The skill explicitly instructs the agent to execute a local Python script (scripts/query.py) using command-line arguments derived from user input. While the script is local, passing unsanitized user questions directly to python scripts/query.py "[user_question]" creates a potential command injection risk depending on how the script handles the input.
External Downloads (LOW): The skill performs real-time fetches from docs.featbit.co and github.com. While these are within the [TRUST-SCOPE-RULE] as legitimate documentation sources, the reliance on real-time fetching without integrity checks is noted. Per the trust rule, the download finding itself is LOW/INFO, but the resulting behavioral risk remains HIGH.

featbit