The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data from the web and processes it using LLM prompts without explicit boundary markers or instructions to ignore embedded commands. This occurs during the 'Ingestion Workflow' (Step 3: Extract) where web content is passed directly to the LLM for entity extraction.
Ingestion points: External web content, search results, and PDF documents fetched during the research workflow (SKILL.md, extraction.md).
Boundary markers: None identified in the extraction prompts or ingestion workflow descriptions; prompts like the 'Master Extraction Prompt Template' lack delimiters for the content being analyzed.
Capability inventory: The skill can perform database writes (SurrealDB), execute local Python scripts (chunk.py, embed.py), and initiate network requests via search providers (Tavily, Brave, Google).
Sanitization: No sanitization, escaping, or filtering of fetched content is described before it is processed by the LLM.
[EXTERNAL_DOWNLOADS]: The skill is designed to automatically fetch content from arbitrary URLs identified through search queries. While it supports well-known providers (e.g., Tavily, Google), the content of the retrieved pages is untrusted and serves as the primary input for the ingestion pipeline.

research