The Agent Skills Directory

[DATA_EXFILTRATION]: The main SKILL.md file contains hardcoded absolute file paths pointing to a specific user's home directory (/Users/ravishankar/Downloads/docs/). While these are intended as documentation references, instructing an agent to read from specific user-controlled paths is a security risk that could lead to unintended file exposure or access failures across different environments.
[COMMAND_EXECUTION]: The skill requests the Bash tool across several modules (apple-intelligence, visual-intelligence, and foundation-models). While common in development skills, this provides the agent with high-privilege access to the underlying system. No malicious shell commands were found in the provided content, but the capability is broader than necessary for a purely documentation-based skill.
[PROMPT_INJECTION]: The skill includes sections on prompt engineering for on-device LLMs. While these are presented as best practices for developers, the agent's instructions for handling structured output and persona constraints should be monitored to ensure they do not conflict with the agent's own safety guidelines.
[INDIRECT_PROMPT_INJECTION]: The skill has a potential attack surface through its data ingestion practices.
Ingestion points: The skill references external markdown documentation files located at /Users/ravishankar/Downloads/docs/ that the agent is expected to read.
Boundary markers: There are no explicit boundary markers or instructions to treat the content of these external files as untrusted data.
Capability inventory: The skill allows Bash, Write, and Edit operations, which could be leveraged if the documentation content contains malicious instructions.
Sanitization: No sanitization or validation logic is defined for the content read from the local documentation paths.

apple-intelligence