The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it interpolates untrusted data from external sources into LLM prompts used for decision-making and content generation. Ingestion points: The skill processes raw inbound email bodies in pipelines/conversational/email-reply-handler.ts and Slack messages in pipelines/conversational/slack-bot.ts. Boundary markers: External data is delimited using markdown headers (e.g., '## Contact Context' or '## Inbound email'), but the prompts lack robust instructions to the AI to disregard instructions embedded within that data. Capability inventory: The agent has extensive capabilities including sending emails via Gmail and SendGrid, updating records in HubSpot and Salesforce, and posting to Slack. Sanitization: No specific filtering logic is present to sanitize external content for malicious injection payloads.
[COMMAND_EXECUTION]: The skill involves generating and executing TypeScript code for automation tasks. It provides instructions to use the npx trigger.dev CLI for development and deployment, which executes code within the user's environment.
[DATA_EXFILTRATION]: The skill facilitates the transfer of lead and contact information across various integrated platforms (CRM, Email, Slack). This involves handling sensitive PII and potentially exposing it to external APIs during enrichment and notification phases.
[CREDENTIALS_UNSAFE]: The configuration requires several high-privilege API keys and tokens for services like HubSpot, Salesforce, and Google. The gmail.ts helper handles Google Service Account JSON keys using Base64 decoding, which is a standard procedure but centers sensitive credentials in the pipeline environment.

code-pipelines