The Agent Skills Directory

[INDIRECT_PROMPT_INJECTION]: The skill's primary function is to process and analyze untrusted data from other skill directories, which creates an attack surface for indirect prompt injection.
Ingestion points: The skill reads SKILL.md, agents/openai.yaml, and various script/reference files from a user-provided directory path.
Boundary markers: There are no explicit instructions to wrap the untrusted content in delimiters or to ignore instructions contained within the analyzed files.
Capability inventory: The agent can execute git commands and is suggested to use npx for validation, providing a path for injected instructions to influence system state.
Sanitization: While it has a policy to redact secrets, it does not sanitize instructions or escape content that could override the agent's behavior.
[COMMAND_EXECUTION]: The workflow involves executing several shell commands to gather context from the local environment.
Evidence: The skill uses git remote show origin, git diff <base> -- <skill>/, and git log to analyze the target directory's history.
[REMOTE_CODE_EXECUTION]: The evaluation rubric suggests the use of external tools that are downloaded and executed at runtime.
Evidence: references/skills-rubric.md mentions running npx skillcheck <skill> and npx agnix <skill> as optional validation steps. These commands download and execute packages from the npm registry.
[DATA_EXFILTRATION]: The skill performs broad filesystem reads within the target directory.
Evidence: It reads multiple files including SKILL.md, configuration files, and scripts. Although it has a 'Secrets' policy to redact credentials, the capability to read and process local files could be abused if the agent is compromised via injection.

reviewing-skills