The Agent Skills Directory

[Indirect Prompt Injection] (LOW): The preflight.py script parses untrusted markdown files provided as input.
Ingestion points: The script reads the target markdown file using Path.read_text() in the run_preflight function.
Boundary markers: Absent; the script processes the entire file content without specific delimiters or instructions to ignore embedded commands.
Capability inventory: The script performs outbound network HEAD requests via httpx to any URL found in the input file. It also uses ast.parse for syntax checking.
Sanitization: No sanitization is performed on the extracted URL strings before they are used in network requests.
[Data Exposure & Exfiltration] (LOW): The script automatedly connects to external endpoints found in audited files.
Evidence: The check_urls function in preflight.py uses httpx.AsyncClient().head(url) to verify link accessibility. While HEAD requests are metadata-only, they constitute outbound network traffic to arbitrary domains determined by untrusted input data.
[Command Execution] (LOW): The skill instructions require the agent to execute a local bundled script.
Evidence: SKILL.md instructs the user to run uv run python ${SKILL_DIR}/scripts/preflight.py. This is a controlled execution of a bundled script, but it is the primary mechanism for the network side effects mentioned above.
[External Downloads] (LOW): The use of uv run may trigger dependency resolution.
Evidence: The script relies on optional dependencies httpx and PyYAML. When executed via uv run, the environment may attempt to download these packages if they are not already cached.

skill-perfection