The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to the way it processes external data.
Ingestion points: scripts/agent.py reads JSON configuration and log files via CLI arguments; scripts/process.py fetches and parses external SAML metadata XML from user-provided URLs.
Boundary markers: Absent. There are no delimiters or instructions for the agent to ignore potentially malicious instructions embedded within the metadata or log files.
Capability inventory: The skill scripts perform file system read/write operations (scripts/agent.py) and network GET/HEAD requests (scripts/process.py).
Sanitization: Absent. The XML parsing in scripts/process.py uses lxml.etree.fromstring without explicit configuration to disable external entities (XXE protection), and the JSON parsing lacks schema validation for the processed logs.
[DATA_EXFILTRATION]: scripts/process.py contains functionality to perform network requests to external domains provided by the user.
Evidence: The validate_idp_metadata method uses requests.get(metadata_url) and the validate_sso_configuration method uses requests.head(idp_sso_url) to verify external Identity Provider endpoints. While functional for SSO validation, this allows the agent to interact with arbitrary non-whitelisted domains.

implementing-google-workspace-sso-configuration