The Agent Skills Directory

[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface due to its core functionality of processing external research data.
Ingestion points: Untrusted data enters the agent's context through the /research-lit sub-skill and WebSearch/WebFetch tools which are used to gather papers and online content.
Boundary markers: The skill does not implement delimiters (such as XML tags or specific markdown markers) to separate ingested external content from its internal instructions or system prompts.
Capability inventory: The agent has access to highly capable tools including Bash(*), Write, Edit, and Agent, which could be exploited if malicious instructions are embedded in the processed literature.
Sanitization: There is no evidence of input validation, filtering, or escaping of the external data before it is presented to the model or used to generate subsequent thoughts and actions.
Risk Factor: The AUTO_PROCEED feature allows the pipeline to continue execution without human intervention, potentially allowing an injection attack to progress through multiple phases autonomously.
[COMMAND_EXECUTION]: The skill uses the Bash(*) tool to manage the robotics research workflow and file system, which allows for arbitrary shell command execution. While this is part of the intended functionality, it increases the potential impact if the agent's logic is subverted through malicious input.

idea-discovery-robot