The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill contains multiple templates designed to ingest and process untrusted data from external sources, which is the primary attack vector for AI agents. Ingestion points: Files like websocket-hibernation-do.ts (webSocketMessage), basic-do.ts (fetch), and location-hints.ts (URLSearchParams) handle external strings and JSON. Boundary markers: Absent; no delimiters provided to separate data from instructions. Capability inventory: ctx.storage.put, this.sql.exec, and ctx.acceptWebSocket provide persistent state modification and communication capabilities. Sanitization: Templates ingest data to storage without explicit sanitization, creating risks for downstream agents processing that state.
[Command Execution] (MEDIUM): The file scripts/check-versions.sh contains shell commands (npm view) to query the npm registry. This represents a command execution risk if an agent triggers the script in a sensitive environment.
[External Downloads] (MEDIUM): templates/package.json specifies dependencies (wrangler, @cloudflare/workers-types) from the Cloudflare organization. Since Cloudflare is not on the predefined trusted list, these are classified as unverifiable external dependencies.
[Metadata Poisoning] (LOW): README includes performance claims (Token Efficiency) and safety assertions (Status: Production Ready) that attempt to influence the agent's evaluation of the skill's utility and security.

cloudflare-durable-objects