The Agent Skills Directory

[PROMPT_INJECTION] (LOW): Indirect Prompt Injection Surface. The example widget code in references/openai-metadata-format.md demonstrates a pattern where data received from an MCP tool is directly injected into the DOM using .innerHTML without sanitization.
Ingestion points: window.openai.getInitialData() in the restaurant-map.html example retrieves data provided by the tool handler via _meta.initialData.
Boundary markers: Absent. No delimiters or instructions are used to treat the data as non-executable content.
Capability inventory: The widget environment includes the window.openai.callTool API, which allows the widget (and any injected script) to trigger further agent actions.
Sanitization: Absent. The example explicitly uses innerHTML to render data.city and data.cuisine, which are sourced from tool input arguments. If an attacker influences these arguments through a conversation, they could execute arbitrary JavaScript within the widget context.
[EXTERNAL_DOWNLOADS] (SAFE): The project relies on standard, well-known industry packages for development. These are sourced from the official npm registry and used for their intended primary purpose of server and build configuration.
[COMMAND_EXECUTION] (SAFE): The scripts and configurations provided (scaffold-openai-app.sh, vite.config.ts) use standard build and deployment commands for Cloudflare Workers. No suspicious or hidden command execution patterns were detected.
[GENERAL] (INFO): Automated scanner alerts regarding 'Malicious URLs' appear to be false positives. The string request.params.name is a standard code variable, and window.openai.ca likely triggered a match on the .ca TLD within the window.openai.callTool function name in the documentation text.

OpenAI Apps MCP