The Agent Skills Directory

[PROMPT_INJECTION]: The skill implements a wide attack surface for indirect prompt injection by processing a large volume of unvetted text data from external web sources.
Ingestion points: The skill ingests raw text from 69 source files in the _workspace/ directory, which were generated from automated web crawling.
Boundary markers: There are no boundary markers or instructions to isolate the data from the agent's logic, making it possible for content in the source files to influence agent behavior if processed as authoritative context.
Capability inventory: While no dangerous tools are explicitly called in the provided files, the large context window populated with untrusted data presents a risk if the agent is allowed access to tools like web browsing or code execution.
Sanitization: The data shows a total lack of sanitization, as evidenced by the inclusion of spam and malicious links captured during the crawling process.
[EXTERNAL_DOWNLOADS]: The skill's data corpus contains confirmed malicious URLs.
Evidence: The file _workspace/raw/src_053.json contains several malicious links, such as https://journals.essrak.org/ and https://jurnal.stikesbaptis.ac.id/. These links were identified as blacklisted and appear to be part of an SEO hijacking campaign targeting the original source academic website.

plato