The Agent Skills Directory

Indirect Prompt Injection (LOW): The skill demonstrates a vulnerability surface where untrusted data is ingested and then reflected back into the agent's context through briefings and dashboards.
Ingestion points: The --client and --notes arguments in track_revenue.py and the --description argument in check_constitutional_cascade.py accept arbitrary user-controlled strings.
Boundary markers: The templates used in generate_daily_briefing.py do not utilize any delimiters or system-level instructions to differentiate between trusted template content and untrusted data variables.
Capability inventory: The skill scripts have the capability to write to the local filesystem (e.g., /srv/janus/03_OPERATIONS/) and execute data-processing logic.
Sanitization: The _render_markdown function in generate_daily_briefing.py uses simple string replacement (.replace()) to build output files, providing no protection against malicious instructions embedded in the revenue or spending logs.

malaga-embassy-operator