The Agent Skills Directory

[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection attack surface by ingesting and processing untrusted user data such as previous proposals and research drafts.
Ingestion points: User-provided proposal drafts and profile data are read via the read_file tool or provided in prompts during the 'Adapt from Previous Proposal' workflow (referenced in SKILL.md).
Boundary markers: The instructions lack explicit structural delimiters (e.g., XML tags) or clear warnings to the agent to disregard instructions embedded within user-provided data.
Capability inventory: The skill possesses write_file and run_terminal capabilities, allowing it to modify the project workspace and execute scripts.
Sanitization: There is no evidence of sanitization or escaping of external content before it is used to influence the drafting and review logic.
[COMMAND_EXECUTION]: The agent is instructed to use the run_terminal tool to execute several bundled Python scripts (scripts/validate_length.py, scripts/validate_citations.py, and scripts/compliance_check.py) during the 'Quality Review' phase (Phase 3). These scripts take user-provided file paths or directories as arguments, which can be an avenue for exploitation if path sanitization is insufficient.
[PROMPT_INJECTION]: The skill contains a directive to the agent to suppress certain internal markers from the user output: 'The user never sees S1/S2/S3/S4 markers or internal notes in deliverables.' (found in SKILL.md under Core Philosophy). While intended for professional output formatting, directives that suppress information from the user are generally noted in security audits.

inno-grant-proposal