The Agent Skills Directory

Prompt Injection (HIGH): The skill has a high-risk surface for indirect prompt injection. It takes user-provided metadata (name, description, content) and uses it to generate file structures and Slack notifications. An attacker could use this to inject instructions into a team's environment.
Ingestion points: User input provided during the 'Initialization' phase (name and description).
Boundary markers: None identified; the skill assumes user input is safe for packaging and sharing.
Capability inventory: File system write access (creating directories, scripts, and zips) and network operations (Slack messaging via Rube).
Sanitization: Only format/metadata completeness validation is mentioned; no security sanitization of input content is documented.
Data Exfiltration (MEDIUM): The integration with Rube for Slack messaging ('SLACK_SEND_MESSAGE', 'SLACK_POST_MESSAGE_WITH_BLOCKS') allows the skill to automatically send data from the local environment to an external platform. If a user is tricked into creating a skill containing sensitive data, this skill would facilitate its exfiltration to Slack.
Dynamic Execution (MEDIUM): The skill generates 'scripts/' and 'references/' directories and requires Python 3.7+ for execution. This indicates the skill is involved in the creation and potential execution of scripts. The risk of generating malicious code from user templates is significant if the generation logic is not strictly constrained.

skill-share