The Agent Skills Directory

[PROMPT_INJECTION]: Indirect Prompt Injection Surface. The skill ingests untrusted data from multiple sources which could contain malicious instructions designed to manipulate agent behavior. * Ingestion points: The skill reads external content via email.md (emails), sms.md (SMS), catalog-scrape.md (scraped URLs), and checkout.md (web page snapshots via MCP). * Boundary markers: There are no explicit instructions or delimiters defined to separate untrusted external data from the agent's core instructions. * Capability inventory: The agent has access to highly sensitive tools including virtual card creation and payment (cards.md), crypto wallet transfers (wallet.md), and secret retrieval from a credential vault (credentials.md). * Sanitization: No input validation or sanitization routines are mentioned for processing the contents of emails, messages, or web pages.
[COMMAND_EXECUTION]: Dynamic Code Execution Capability. The skill exposes a tool for executing arbitrary source code. * Evidence: The run-code capability in catalog-compute.md allows the execution of source code in 60+ languages. While documented as sandboxed, providing an LLM with direct code execution capabilities increases the risk of local environment exploitation if security boundaries are bypassed.

clawcard