The Agent Skills Directory

EXTERNAL_DOWNLOADS (CRITICAL): Automated scanning (URLite) identified a malicious phishing URL within the file references/DE.md (Detection ID: Phishing|UR66BC00AF7C4D38C4-0200). Although no explicit malicious URL is visible in the provided text, the scanner's confirmed detection indicates a high-risk security threat. In a legal notice generator, phishing links are particularly dangerous as they can be used to harvest sensitive personal or credential data from end-users who trust the generated documentation.
PROMPT_INJECTION (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8) because its primary function involves interpolating untrusted user data into generated documents.
Ingestion points: The skill ingests company names, business models, and service descriptions from users (e.g., 'SaaS platform', 'Google Analytics') to populate templates.
Boundary markers: The reference files do not include explicit delimiters or instructions to the model to ignore potential injection patterns within the user-provided data.
Capability inventory: The skill is designed to produce professional .docx files, providing a vector for distributing malicious content or social engineering instructions under the guise of legal compliance.
Sanitization: There is no evidence of input validation, escaping, or filtering for user-provided strings before they are incorporated into the output.
NO_CODE (SAFE): The skill consists exclusively of Markdown documentation and reference materials; it contains no executable code, package manifests, or shell scripts.

gdpr-privacy-notice-eu-oliver-schmidt-prietz