The Agent Skills Directory

Prompt Injection (LOW): The skill is vulnerable to indirect prompt injection (Category 8). It is designed to ingest and parse wikitext and citation metadata from Wikipedia via the MediaWiki API, as documented in references/api_reference.md and references/citation_templates.md. Since Wikipedia is a publicly editable source, an attacker could embed malicious instructions within an article's content or references to influence the behavior of the AI agent. Evidence Chain: 1. Ingestion points: The skill fetches data from the MediaWiki API (action=parse and action=query). 2. Boundary markers: There are no explicit delimiters or 'ignore instructions' markers defined in the parsing logic snippets to isolate ingested text from the agent's internal reasoning. 3. Capability inventory: The skill possesses network access capabilities for article fetching and citation verification (e.g., via doi.org and PubMed). 4. Sanitization: While the code in references/citation_templates.md performs basic regex-based cleaning of wiki markup, it lacks semantic sanitization to prevent the execution of embedded instructions.

wikipedia-research