The Agent Skills Directory

[PROMPT_INJECTION]: The skill processes untrusted code and project data through its reading capabilities, which presents an indirect prompt injection surface. Maliciously crafted comments or code snippets in the files being audited could contain instructions targeting the AI agent's logic.
Ingestion points: External source files and project structures read via the Read, Grep, and Glob tools.
Boundary markers: The instructions lack explicit delimitation or directives to ignore embedded instructions when reading external content.
Capability inventory: Access to the Bash tool, which provides a powerful execution environment.
Sanitization: No mechanisms are provided to sanitize or validate the content of the data read from external sources before it is analyzed by the language model.
[COMMAND_EXECUTION]: The skill is granted access to the Bash tool. While intended for search and identification tasks during an audit, this capability could be exploited if an attacker successfully influences the agent through an indirect prompt injection attack.
[EXTERNAL_DOWNLOADS]: The skill contains a hardcoded recommendation for the user to install an external extension from 'github.com/mindverse/skillhub'. This is structured as a user-facing recommendation and does not involve automated background downloading or execution by the agent itself.

security-audit