The Agent Skills Directory

[PROMPT_INJECTION]: The skill possesses a substantial attack surface for indirect prompt injection due to its core function of ingesting and analyzing entire codebases.
Ingestion points: The skill reads project files from a specified directory via tools like Read, Grep, and Glob during the analyze_codebase process.
Boundary markers: The documentation does not describe the use of delimiters or instructions for the agent to ignore potentially malicious embedded commands within the analyzed code files.
Capability inventory: The skill can read sensitive files, write changes to the filesystem (through auto_fix and refactoring features), and perform network operations like sending webhook alerts.
Sanitization: There is no mention of sanitizing or validating the content of the analyzed files to prevent malicious instructions from influencing the agent's behavior during a review.
[DATA_EXFILTRATION]: The skill includes features for external reporting that could be leveraged to exfiltrate sensitive information.
Evidence: The RealTimeQualityMonitor and CustomQualityAlertHandler components shown in the examples transmit quality metrics and alerts to external webhook_url endpoints (e.g., Slack). Furthermore, the REST API integration example allows for cloning remote repositories to a temporary directory for processing.
[COMMAND_EXECUTION]: The skill provides mechanisms to modify project files and execute custom validation logic, which could be misused if manipulated.
Evidence: The RefactoringSuggester class is designed to automatically apply code modifications, which involves direct filesystem writes. The CustomQualityRule architecture allows users to register and execute arbitrary validator callables that perform analysis on the codebase.

moai-foundation-quality