The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill ingests untrusted external content via WebFetch in the research command and core-research-phase. This content is used to inform prompt generation and is stored in the local SQLite database. Because the skill possesses high-privilege capabilities—including browser automation (Playwright) to interact with Midjourney and database write access—this creates a significant surface for indirect prompt injection.\n
Ingestion points: research.md, core-research-phase.md (via WebSearch/WebFetch).\n
Boundary markers: The skill labels research as 'unvalidated' but does not enforce strict sanitization.\n
Capability inventory: Playwright automation (auto-core-workflows.md) and SQLite database persistence (schema.sql).\n
Sanitization: No explicit content filtering or escaping of fetched web data.\n- [External Downloads] (LOW): The skill requires the installation of two Model Context Protocol (MCP) servers using npx.\n
Evidence: SKILL.md instructs the user to run claude mcp add sqlite-simple -- npx @anthropic-ai/sqlite-simple-mcp and claude mcp add playwright -- npx @playwright/mcp@latest.\n
Risk Downgrade: These packages are provided by trusted organizations (anthropic-ai and playwright/Microsoft), which reduces the severity from MEDIUM to LOW per [TRUST-SCOPE-RULE].\n- [Command Execution] (MEDIUM): The skill performs browser automation on the Midjourney website and executes complex SQL queries to manage its learning database. While functional, these capabilities increase the impact of any successful prompt injection.\n- [Dynamic Execution] (MEDIUM): The learn-reflection.md rule describes spawning a background subagent to handle data processing and knowledge base regeneration, involving dynamic agent creation and automated file modification.

midjourney-prompt-engineering