The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill fetches market data, product lists, and statistics from the external domain mcp.sorftime.com through multiple Python scripts including workflow.py and analyze_category.py.
[COMMAND_EXECUTION]: The scripts/workflow.py script uses subprocess.run to execute curl for API calls. Additionally, the skill's instructions in SKILL.md guide the agent to run local Python scripts to process data and generate reports.
[DATA_EXFILTRATION]: The skill retrieves a user's Sorftime API key from environment variables or a local .mcp.json file and transmits it to https://mcp.sorftime.com for authentication. This is required for functionality but involves sending credentials to a third-party service.
[PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection by ingesting and processing untrusted data from the Sorftime API. Evidence Chain: 1. Ingestion points: Data is fetched from the external API in scripts/workflow.py and processed in scripts/analyze_category.py. 2. Boundary markers: No explicit boundary markers or instructions to ignore embedded prompts are present in the report generation templates found in assets/report_template.md or assets/dashboard_template.html. 3. Capability inventory: The skill can execute shell commands via curl and write files to the local file system. 4. Sanitization: While the scripts include logic to clean control characters and fix encoding (Mojibake), they do not sanitize text for potential LLM instructions embedded in the external product data.

category-selection