The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill is highly vulnerable to indirect injection because it processes untrusted data from an external data layer and uses it to generate critical system files.
Ingestion points: Untrusted data enters the agent context through 'getAllCategories()', 'getPagesByCategory()', and 'loadRedirectMap()' as described in sections 6 and 7 of 'SKILL.md'.
Boundary markers: Absent. There are no delimiters or 'ignore' instructions provided to the agent to distinguish between legitimate data and embedded instructions within the ingested slugs or titles.
Capability inventory: The skill possesses 'Write', 'Edit', and 'Bash' permissions, allowing it to modify application entry points like 'next.config.js'.
Sanitization: Absent. The implementation logic directly interpolates external strings into code blocks (e.g., '${baseUrl}/${cat.slug}') without any validation or escaping mechanisms.
Command Execution (HIGH): The skill requests 'Bash' and 'Write' tools to manage redirects and sitemaps. If the source data is compromised, these tools could be leveraged to perform unauthorized file system modifications or execute arbitrary shell commands.
Dynamic Execution (MEDIUM): The skill implements logic to write and update JavaScript/TypeScript files ('next.config.js' and 'sitemap.ts') at runtime. Since these files are executed by the Node.js runtime, any malicious content injected via the data layer would result in remote code execution on the host server.

pseo-linking