The Agent Skills Directory

[PROMPT_INJECTION]: The SKILL.md file contains instructions using 'MANDATORY' and 'CRITICAL' markers that attempt to override the AI agent's logic for tool selection, explicitly claiming that failure to use the skill violates 'operational requirements'.
[COMMAND_EXECUTION]: The scripts/qbit-api.sh script is vulnerable to API parameter injection. User-supplied arguments, such as torrent URLs in cmd_add and hashes in cmd_delete, are concatenated directly into strings used for curl POST data without escaping or validation. This allows a malicious user or an indirect prompt injection attack to inject additional parameters into the qBittorrent API request by including characters like & in the input.
[CREDENTIALS_UNSAFE]: Hardcoded example passwords (adminadmin and adminpass) are present in SKILL.md and the references/api-endpoints.md documentation file.
[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by processing untrusted data from the qBittorrent API.
Ingestion points: Torrent names, categories, and tags are retrieved from the qBittorrent API via scripts/qbit-api.sh (list command) and passed into the agent's context.
Boundary markers: No boundary markers or delimiters are used to wrap the external data, nor are there instructions to ignore commands embedded in the torrent metadata.
Capability inventory: The skill possesses significant capabilities, including the ability to permanently delete local files (delete --files), change application speed limits, and add new torrents from arbitrary URLs.
Sanitization: No evidence of sanitization, escaping, or filtering is found for strings retrieved from the API before they are processed by the agent.

qbittorrent