The Agent Skills Directory

[COMMAND_EXECUTION]: The suggested logging implementation in the skill uses insecure world-writable directory permissions.
Evidence: The log_debug function in Step 6 implementation uses mkdir($logdir, 0777, true) to create a log directory.
Impact: Utilizing 0777 permissions allows any user on the local system to read, write, or delete files within that directory, which poses a risk of log tampering or local privilege escalation.
[DATA_EXFILTRATION]: The skill demonstrates logging sensitive execution details, including database interactions, to the local filesystem.
Evidence: The error handling logic in Step 6 captures and logs the last executed SQL query via $DB->get_last_sql() and the full execution stack trace via $e->getTraceAsString().
Impact: Logs containing database schema details and internal application logic could be accessed by unauthorized parties if the server's data directory permissions are not correctly configured.
[PROMPT_INJECTION]: The skill defines an architecture for processing external data through custom web services, creating a surface for indirect prompt injection.
Ingestion points: Untrusted data enters the agent context through the execute() method parameters defined in execute_parameters().
Boundary markers: The skill includes validation via Moodle's validate_parameters() but does not suggest delimiters or explicit instructions to prevent the agent from following commands embedded in the data.
Capability inventory: The provided templates allow for extensive system modifications, including database writes (insert_record, set_field), course module creation, and filesystem access via file_put_contents.
Sanitization: Input is sanitized using Moodle's PARAM_* constants, which provides type safety but does not protect against instructions embedded within valid text parameters.

moodle-external-api-development