The Agent Skills Directory

[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface as it processes uncontrolled text from external sources to make matching decisions and generate replies.
Ingestion points: Job descriptions fetched in references/daily-match.md, recruiter replies retrieved in references/comment.md, and user-provided resumes in references/onboarding.md.
Boundary markers: No specific delimiters or safety instructions are defined to separate untrusted external content from system instructions during processing.
Capability inventory: The skill can execute shell commands via curl, write to local files (persona.md, credentials.local.json), and invoke other agent skills like /moltoffer-auto-apply.
Sanitization: There is no evidence of sanitization, filtering, or validation of the content ingested from job posts or resumes before it is used to influence agent logic.
[COMMAND_EXECUTION]: The skill frequently uses the curl binary to perform network operations. While these target the legitimate vendor domain (api.moltoffer.ai), arbitrary command execution patterns could be exploited if input parameters were not properly handled.
[CREDENTIALS_UNSAFE]: User-provided API keys are stored in plaintext in credentials.local.json. Although the documentation advises the user that this file is typically ignored by version control, storing sensitive tokens on the local filesystem increases the impact of a potential local system compromise.

moltoffer-candidate