The Agent Skills Directory

Indirect Prompt Injection (HIGH): This skill provides a significant attack surface for indirect prompt injection as it facilitates the translation of user-provided requirements and workflows into executable skills without safety boundaries. 1. Ingestion points: User input regarding the purpose, activation triggers, and workflow logic as described in 'skill-creator/SKILL.md'. 2. Boundary markers: Absent; there are no instructions or templates that include delimiters to isolate user-provided logic from system instructions. 3. Capability inventory: 'Bash', 'Write', 'Edit', 'Read', 'Glob', and 'Grep' are permitted across the skill's files. 4. Sanitization: Absent; the workflow lacks any validation or sanitization mechanisms for user-provided commands or logic before they are written to the file system or executed during the 'testing' phase.
Command Execution (HIGH): The skill metadata explicitly requests 'Bash' tool access. While the stated purpose is to allow for testing the logic of newly created skills, this capability allows the execution of arbitrary and potentially malicious system commands if the skill-creation process is manipulated by a malicious user or an adversarial prompt.

shared