The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests untrusted data through the context parameter in orchestrate.py. This data is sliced and interpolated into prompts for subagents in assembler.py. While markdown delimiters are used, there is no validation or sanitization of the context content to prevent malicious instructions from influencing agent behavior. Mandatory evidence: Ingestion occurs in orchestrate.py; Boundary markers are simple markdown headers in assembler.py; Capabilities include network access and dynamic script loading; No sanitization is performed on context subsets.\n- [COMMAND_EXECUTION]: The _persist function in orchestrate.py modifies the sys.path at runtime to include external directories (/mnt/skills/user/remembering) and performs a dynamic import of the remember script. This behavior, while intended for modularity, allows for the execution of code from dynamically determined local paths.\n- [EXTERNAL_DOWNLOADS]: Communicates with the official Anthropic API endpoint (https://api.anthropic.com/v1/messages) to perform orchestration and synthesis tasks. This is a well-known service and the usage is consistent with the skill's primary purpose.\n- [CREDENTIALS_UNSAFE]: The skill attempts to read the ANTHROPIC_API_KEY from environment variables or a configuration file located at /mnt/project/claude.env in client.py. Accessing sensitive credential files is a point of data exposure risk.

orchestrating-skills