The Agent Skills Directory

[DATA_EXFILTRATION]: The skill contains a function that enables reading arbitrary files from the local filesystem based on user-influenced parameters.
Evidence: The readJsonInput function in scripts/lib.mjs (and scripts/_lib.mjs) uses readFileSync to load content from a file path provided via the --payload-file argument.
Risk: If an AI agent is manipulated via indirect prompt injection, it could be coerced into reading sensitive files (such as .env, credentials, or SSH keys) and potentially leaking their contents through error messages or API transmissions.
[COMMAND_EXECUTION]: The skill's operational logic depends on the execution of local Node.js scripts with arguments derived from natural language input.
Evidence: SKILL.md defines multiple workflows where the agent is instructed to execute node scripts/business-record.mjs with various flags and positional arguments.
[PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection because it ingests untrusted data while having access to powerful system capabilities.
Ingestion points: Natural language sales input used to populate business records as described in SKILL.md.
Boundary markers: Absent. The provided prompt templates do not use specific delimiters or warnings to isolate untrusted user data from the agent's instructions.
Capability inventory: Arbitrary file read access via readFileSync, network communication to https://crm.langcore.net, and local script execution.
Sanitization: Basic HTML tag stripping is performed on the description field, but no validation or sanitization is applied to file paths or other arguments passed to the CLI scripts.

lcrm-business-record