The Agent Skills Directory

[PROMPT_INJECTION] (HIGH): The skill is highly susceptible to Indirect Prompt Injection. It retrieves data from external, attacker-controlled sources (Bluesky account bios and posts) and processes it for categorization. There are no boundary markers or sanitization logic mentioned to prevent embedded instructions from subverting the agent's behavior.
Ingestion points: scripts/bluesky_analyzer.py fetches data from the Bluesky API via the requests library.
Boundary markers: Absent. The output format in SKILL.md (line 115) simply concatenates raw bio text with keywords.
Capability inventory: The agent can execute local Python scripts and read files from the filesystem.
Sanitization: Absent. No filtering or escaping of account content is performed before presentation to the LLM.
[DATA_EXFILTRATION] (HIGH): The skill provides a --file PATH parameter that reads arbitrary handles from a local file. This mechanism can be abused to read sensitive local files (e.g., configuration files or SSH keys) and expose their contents to the agent context.
Evidence: SKILL.md (line 92) and the get_accounts_from_file function in scripts/bluesky_analyzer.py (line 265) facilitate local file access.
[COMMAND_EXECUTION] (MEDIUM): The skill relies on an external virtual environment (yake-venv) and delegates keyword extraction to it. This involves runtime execution of external binaries and potentially subprocess spawning, which increases the attack surface if the fetched account data is passed as arguments to the YAKE venv unsafely.
Evidence: SKILL.md (lines 13, 172) and scripts/bluesky_analyzer.py (line 124) describe the delegation to the extracting-keywords skill and its associated virtual environment.

categorizing-bsky-accounts