The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill includes a command-line example in Step 5.4 that pipes remote content from an untrusted URL (https://agent.example.com/.well-known/agent.json) directly into the python3 interpreter. Piped remote execution is a critical security risk that can allow arbitrary code execution if the remote source is compromised.
[PROMPT_INJECTION]: The skill's primary purpose is the design of agent manifests (agent.json) that contain natural language fields like descriptions and examples. These fields are processed by discovering agents, creating a surface for indirect prompt injection attacks. * Ingestion points: The description and examples fields within the agent.json manifest (SKILL.md, Steps 1 and 2). * Boundary markers: Absent; the documentation does not suggest using delimiters or instructional guards to prevent agents from executing instructions found in the manifest content. * Capability inventory: The A2A protocol described involves discovering and invoking agent skills based on these manifests. * Sanitization: Absent; no guidance is provided for sanitizing or validating the natural language content before ingestion.

design-a2a-agent-card