The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): The skill documentation explicitly instructs the agent to run various Python scripts (e.g., generate_narrative.py, generate_budget.py) using python3. This capability is dangerous if parameters such as project names or assembly IDs are derived from untrusted inputs.
[INDIRECT_PROMPT_INJECTION] (HIGH): The skill processes untrusted data files to generate financial narratives and budgets. Ingestion points: Reads from data/wp_config.json and data/impact_feedback.json as well as user-provided narrative files. Boundary markers: None are defined to separate instructions from data. Capability inventory: Includes subprocess execution (python3) and file system writes. Sanitization: No input validation or escaping is documented. This combination allows an attacker to embed malicious prompts in the configuration or feedback data that the agent may interpret as commands.
[DATA_EXPOSURE] (MEDIUM): The skill utilizes absolute system paths in /srv/janus/03_OPERATIONS/ and /srv/janus/logs/, which points to an environment-specific dependency that could be exploited to access or modify sensitive operational logs and project data.

financial-proposal-generator