The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection because it fetches content from arbitrary external URLs (articles, YouTube, Twitter, PDFs) via WebSearch and web_reader and passes this untrusted data to an AI for processing without using boundary markers or sanitization.\n * Ingestion points: External content is retrieved and passed to the AI for summary and tag generation in multiple workflows.\n * Boundary markers: The instructions do not define delimiters or instructions for the agent to ignore embedded commands in the fetched content.\n * Capability inventory: The skill has the ability to write to and query DingTalk aitable databases and send chat messages via CLI tools.\n * Sanitization: There is no mention of escaping or validating the external content before it is used in subsequent operations.\n- [COMMAND_EXECUTION]: The skill uses AI-generated strings derived from untrusted sources as arguments in 'dws' CLI commands (e.g., in keyword queries and record creation). This creates a surface where adversarial instructions in scraped content could potentially influence the parameters of the CLI tools executed by the agent.\n- [DATA_EXFILTRATION]: The skill's capability to query knowledge base records and send chat notifications creates a risk of data exfiltration. An indirect prompt injection attack could potentially trick the agent into querying sensitive stored information and posting it to a chat group.

dingtalk-workflow-knowledge-base