The Agent Skills Directory

Indirect Prompt Injection (LOW): The skill defines templates for agent system prompts that interpolate external, potentially untrusted data into high-privilege contexts.
Ingestion points: Data is ingested via placeholders like {TASK_DESCRIPTION}, {CODE_MAP}, and {INPUT_DIR} in the 'Agent System Prompt Template'.
Boundary markers: The templates do not include explicit boundary markers or 'ignore' instructions to prevent the agent from obeying instructions embedded within the injected variables.
Capability inventory: The described system architecture explicitly includes high-privilege tools: bash(), read_file(), write_file(), and edit_file().
Sanitization: No sanitization or validation logic is provided for the interpolated strings, increasing the risk that an attacker-controlled code map or task description could trigger unauthorized actions via the bash() tool.
Command Execution (LOW): The skill provides documentation and templates that encourage the use of a bash() tool and direct file system manipulation within the 'Agentica orchestration framework'. While the skill does not execute these commands directly, it provides the implementation logic for agents to perform these operations.
Unverifiable Dependencies (LOW): The skill references an external tool rp-cli (RepoPrompt) for generating repository context. This tool is not on the trusted repository list and its execution is suggested in the documentation (rp-cli --path . --output .claude/cache/agents/codemap.md).

agentica-prompts