The Agent Skills Directory

PROMPT_INJECTION (HIGH): The skill is highly susceptible to Indirect Prompt Injection due to the way it handles external data in its prompt templates.
Ingestion points: The prompts section in references/config_template.yaml defines several templates (observations, inference, adaptive_refinement) that ingest untrusted content through placeholders like {data_samples}, {sample_text}, and {challenging_examples}. This data originates from the data/ directory and the papers/ directory (PDFs).
Boundary markers: Absent. There are no delimiters (e.g., XML tags, clear separators) or instructions to the LLM to ignore potentially malicious commands embedded within the interpolated data.
Capability inventory: The skill has significant capabilities, including performing binary classification (inference), filtering hypotheses based on task descriptions, and automatically refining hypotheses based on failed examples. A malicious injection in a data sample could hijack these logic flows.
Sanitization: The configuration contains no mechanisms for escaping or validating the content of external files before they are injected into the prompt context.

hypogenic