The Agent Skills Directory

[Indirect Prompt Injection] (LOW): The skill instructions in examples/3p-updates.md, examples/company-newsletter.md, and examples/faq-answers.md direct the agent to ingest data from Slack, Email, Google Drive, and external web content, creating a significant surface for indirect prompt injection. * Ingestion points: Slack channels, Google Drive documents, Email threads, Calendar events, and External Press websites. * Boundary markers: None; the instructions do not specify the use of delimiters or 'ignore embedded instructions' directives for the ingested content. * Capability inventory: The agent is encouraged to read across sensitive internal and external domains to generate widely distributed communications. * Sanitization: No sanitization or validation of retrieved content is requested.
[Data Exposure & Exfiltration] (MEDIUM): The skill explicitly directs the agent to access and aggregate sensitive internal data from private communication channels (Email, Slack) and document storage. Although this is the primary purpose of the skill, the lack of filtering criteria creates a risk of exposing confidential or sensitive information in broader company-wide updates. The severity is downgraded from HIGH to MEDIUM as this behavior is central to the skill's intended use case.

internal-comms