The Agent Skills Directory

Indirect Prompt Injection (HIGH): The included report skill (in assets/report-SKILL.md) is designed to read and summarize Jupyter notebooks, which are untrusted external data sources.\n
Ingestion points: The skill reads .ipynb files directly from the notebooks/ directory.\n
Boundary markers: Absent. There are no delimiters or instructions provided to the agent to treat the notebook content as data rather than instructions.\n
Capability inventory: The skill possesses Write and limited Bash capabilities, which could be leveraged if an attacker embeds malicious instructions within a notebook markdown cell or code output.\n
Sanitization: Absent. The agent is directed to extract and reproduce conclusions and results without any validation or filtering.\n- External Downloads (MEDIUM): The skill recommends installing a tool from https://github.com/kdkyum/jlab-mcp.git.\n
This repository belongs to an unverified individual and is not part of the trusted organization list, creating a risk of remote code execution during the installation phase via uv tool install.\n- Command Execution (LOW): The skill uses sed to perform string substitution using $ARGUMENTS.\n
While the use of | as a delimiter provides some protection, a crafted input containing the delimiter could potentially alter the structure of the generated pyproject.toml or .mcp.json files.

init-project