The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted vulnerability data from external sources and propagates it into notifications and reports.
Ingestion points: The import_findings function in scripts/process.py reads data from user-provided CSV files.
Boundary markers: No clear delimiters or warnings are used in the notification templates to prevent embedded instructions in the findings data from influencing the agent or recipient.
Capability inventory: The skill utilizes requests for Slack and PagerDuty notifications and smtplib for email alerts.
Sanitization: Input validation is limited; while CVSS scores are cast to floats, other metadata fields (e.g., CVE IDs, Hostnames) are processed as raw strings.
[COMMAND_EXECUTION]: The skill provides explicit instructions in the documentation to establish a persistence mechanism using a cron job.
Evidence: SKILL.md contains a shell command snippet (echo "..." | crontab -) to schedule the process.py script for hourly execution. This is an intended functionality for automated alerting but involves modifying system-level task schedules.
[SAFE]: External network operations are directed to user-defined targets or well-known service endpoints (PagerDuty) for legitimate alerting purposes.
[SAFE]: Third-party dependencies are well-known, standard libraries and are explicitly documented in the prerequisites and installation instructions.

implementing-vulnerability-sla-breach-alerting