The Agent Skills Directory

[PROMPT_INJECTION] (HIGH): The skill workflow is highly susceptible to indirect prompt injection during the research and initialization phases.\n
Ingestion points: The agent is instructed to use search_web and read_url_content (Step 2) and read user-filled artifacts (Phase 5) to inform skill creation.\n
Boundary markers: No delimiters or safety instructions are provided to the agent to distinguish between its instructions and the external data it is processing.\n
Capability inventory: The agent has the ability to write new files via init_skill.py, including executable scripts in the scripts/ directory and instructional markdown in SKILL.md.\n
Sanitization: There is no evidence of content sanitization or validation before external data is used to generate logic or instructions.\n- [COMMAND_EXECUTION] (MEDIUM): The init_skill.py script dynamically creates new files and applies chmod 0o755 to make them executable. While this is intended behavior for a creator tool, it creates a mechanism for privilege adjustment on files whose content might be influenced by untrusted external sources.\n- [COMMAND_EXECUTION] (LOW): The skill uses local helper scripts (quick_validate.py, compare_skill.py) to perform structural analysis and comparisons. These scripts are safe and operate on local data only.

skill-creator