The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill is explicitly designed to ingest untrusted data from the web and use it to drive code generation. This is a critical vulnerability surface.
Ingestion points: Uses Context7, DuckDuckGo, and firecrawl_scrape to pull content from external URLs (found in SKILL.md and references/search-strategy.md).
Boundary markers: Absent. The instructions do not provide delimiters or warnings to treat external documentation as untrusted data; instead, it encourages the agent to 'based on documentation implement' (基于文档实现).
Capability inventory: The agent is given the capability to write, modify, and 'fix' code based on these inputs.
Sanitization: Absent. There is no mechanism to validate the integrity of the documentation or filter out executable instructions embedded in markdown/HTML comments.
External Downloads (MEDIUM): The skill instructs the agent to use firecrawl_scrape on arbitrary URLs and search for information via DuckDuckGo. While aimed at documentation, this allows the agent to interact with attacker-controlled web servers.
Command Execution (LOW): The skill documentation includes examples of code execution for version checking (e.g., import llama_index; print(llama_index.__version__)). While benign in the example, the workflow's goal is to produce and execute code based on external search results, which can be manipulated.
Safe Practices Noted (INFO): The references/mcp-usage-rules.md file contains good defensive language, such as '不上传敏感信息' (Do not upload sensitive information) and '默认离线优先' (Default offline first), which mitigates some data exposure risks but does not address the code injection risk.

doc-driven-development