The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The Machine Learning Agent instructions permit the dynamic installation of missing Python packages via conda install or pip install (e.g., pip install <package> --no-deps in references/ml_agent_instructions.md). This allows for the introduction of unverified code into the environment.
[REMOTE_CODE_EXECUTION]: The workflow involves generating Python scripts (e.g., run_training_testing.py) based on external inputs and then executing them using the run_python tool. This pattern is risky as the generated code is derived from untrusted sources like user-provided ideas and reference papers.
[COMMAND_EXECUTION]: The skill utilizes shell tools for a wide range of tasks, including directory management (mkdir -p), file listing (ls, tree), and script execution (execute_command). These capabilities provide a broad attack surface if the agent is misled by malicious inputs.
[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting external data and interpolating it directly into prompts for downstream agents (Coding Plan Agent, ML Agent, Judge Agent).
Ingestion points: Data entering the context includes survey_res (user idea), references (source papers), and code_survey_res (survey notes), as detailed in SKILL.md and used in templates like prompts/build_plan_query.md.
Boundary markers: Prompt templates in prompts/ (e.g., build_iteration_query.md, build_ml_dev_query.md) lack delimiters (such as XML tags or triple quotes) or 'ignore embedded instructions' warnings for the interpolated variables.
Capability inventory: The skill possesses powerful capabilities including arbitrary shell command execution, file system modification, and package installation.
Sanitization: No validation, escaping, or filtering of the ingested external content is implemented before it is used to construct prompts.

inno-experiment-dev