The Agent Skills Directory

[Indirect Prompt Injection] (LOW): The skill exhibits an indirect prompt injection surface by processing untrusted data to influence agent behavior and output. 1. Ingestion points: Data enters through user responses in templates/question-templates/ and via project-level files scanned for language and metadata. 2. Boundary markers: Markdown templates such as templates/doc-templates/product-template.md use direct variable interpolation without explicit delimiters to isolate user-provided content. 3. Capability inventory: The skill documentation describes capabilities like localize_agent_prompts and automated documentation generation from specification data. 4. Sanitization: Structural validation is present in schemas/config-schema.json, but there is no evidence of sanitization for the content interpolated into prompts.
[Unverifiable Dependencies] (LOW): The project initialization configuration includes an auto_dependencies option which triggers package managers like pip and npm. This is a standard but noteworthy supply chain risk surface.
[Dynamic Execution] (LOW): The system supports template engines like Jinja2 and Handlebars. Un-sandboxed processing of user-controlled data remains a potential vector for injection if the check_security features in the schema are not properly enforced.

moai-workflow-project