The Agent Skills Directory

[Prompt Injection] (MEDIUM): The skill is vulnerable to Indirect Prompt Injection (Category 8). It retrieves passages from external sources and interpolates them directly into LLM prompt signatures without sanitization or delimiters.\n
Ingestion points: Untrusted data enters via self.retrieve(question).passages in the DocSearch, MultiStepSearch, and CitedSearch modules in examples.md.\n
Boundary markers: Absent. The passages are joined or numbered and fed directly into the context field of the dspy Signatures.\n
Capability inventory: The retrieved content influences the LLM's reasoning and final answer generation. While it lacks direct file-write or execution capabilities, it can be used to hijack the agent's response to the user.\n
Sanitization: None. The skill assumes retrieved passages are benign.\n- [Data Exfiltration] (MEDIUM): The skill sends user-provided queries to a hardcoded, non-whitelisted IP address (20.102.90.50) for document retrieval. This poses a privacy risk as user intent and search terms are exposed to an unverified third-party endpoint.\n- [External Downloads] (LOW): The skill uses the datasets library to download the hotpotqa dataset from Hugging Face. While Hugging Face is a trusted organization, downloading data at runtime is an external dependency that should be monitored.\n
Evidence: load_dataset("hotpotqa", "fullwiki", split="train[:200]") in examples.md.

ai-searching-docs