The Agent Skills Directory

Indirect Prompt Injection (HIGH): The overnight-build.md and parallel-research.md workflows create high-risk attack surfaces where sub-agents ingest external/untrusted content.
Ingestion points: parallel-research.md reads competitor websites; overnight-build.md reads project files like SESSION_STATE.md and BUILD-BRIEF.md which may be modified by previous tasks or external processes.
Boundary markers: None. There are no instructions to the sub-agents to ignore instructions embedded within the data they are researching or building.
Capability inventory: The sub-agents can write files, commit changes to git, and use the message tool to send files externally.
Sanitization: None detected.
Data Exfiltration & Local File Access (MEDIUM): The browser-pdf-generation.md workflow allows the browser to open file:// URLs.
Evidence: The example shows file:///path/to/report.html. If an attacker-controlled URL is passed to this workflow (via Indirect Prompt Injection), an attacker could force the agent to capture screenshots or generate PDFs of sensitive system files (e.g., file:///etc/passwd or ~/.ssh/id_rsa).
Exfiltration path: The workflow explicitly includes a step to send the resulting file using message send filePath=<pdf_path>.
Data Exposure (LOW): The browser-mediavine-csv.md file contains hardcoded internal site IDs.
Evidence: Table mapping site names (e.g., 'Hello Hayley') to IDs (e.g., '16496'). While these are not secret keys, they provide internal metadata that could be used in reconnaissance or further attacks on the dashboards.

workflows