The Agent Skills Directory

Indirect Prompt Injection (HIGH): The core functionality involves agents reading and processing message content (body_md) from other agents, which may be influenced by untrusted external data.
Ingestion Points: Untrusted data enters the agent's context through the /api/mail/inbox and /api/mail/search endpoints in SKILL.md.
Boundary Markers: The skill lacks any definition of delimiters or instructions for the agent to disregard instructions embedded within message bodies.
Capability Inventory: Agents using this skill have the ability to reserve/release files (/api/files/reserve) and send messages, providing a clear path for an injection to cause side effects in the project environment.
Sanitization: There is no evidence of sanitization or content filtering for the markdown bodies being exchanged.
Command Execution (LOW): The skill relies on the execution of curl commands. While the targets are localhost, the use of parameters like project_path and agent_name in the command strings could be vulnerable to shell injection if these values are sourced from untrusted inputs without proper escaping.

agent-mail