The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill instructions explicitly direct agents to monitor external, untrusted data sources like Slack channels and meeting transcripts. There is a high risk that malicious instructions embedded in these channels could be executed by the agent.
Ingestion points: Slack threads, meeting transcripts, and Snowflake database records (SKILL.md, Implementation Workflow #3).
Boundary markers: None. The skill does not suggest any delimiters or 'ignore' instructions for external content.
Capability inventory: The agent is encouraged to draft GitHub Pull Requests, write/execute local Python scripts for data processing, and move data to external platforms like Google Drive (SKILL.md, Example 1 & 2).
Sanitization: Absent. There is no mention of validating or sanitizing the 'feature requests' or data pulled from these integrations before acting upon them.
Data Exposure & Exfiltration Risk (MEDIUM): The skill guides the agent to access highly sensitive corporate data environments including Snowflake, Salesforce, and Jira. While the described use cases are for reporting, the lack of defined access boundaries combined with the 'anticipatory' nature of the agent creates a significant risk for unauthorized data movement.
Unsafe Privilege Patterns (MEDIUM): The workflow suggests enabling non-technical users to build 'self-service' portals with agents that have the power to 'act' (create files, move data). This decentralization of tool creation without a centralized security framework increases the attack surface for the organization.

agentic-workflow-automation