The Agent Skills Directory

[PROMPT_INJECTION] (LOW): Indirect prompt injection surface detected via file ingestion.
Ingestion points: The skill utilizes read_file to load customer_preferences and menu data as specified in CARD.yml.
Boundary markers: Absent. The instructions do not define delimiters or provide specific guidance to the agent to disregard potential instructions embedded within the external preference files.
Capability inventory: Across SKILL.md and CARD.yml, the skill is granted read_file, write_file, and list_dir permissions, which allow for state persistence and information retrieval.
Sanitization: No sanitization or validation logic is present to filter data read from the filesystem before it is interpreted by the agent.
[DATA_EXPOSURE] (SAFE): While the skill requests file system permissions (read_file, write_file), the stated use case (managing 'tabs' and 'customer preferences') is consistent with the bartender/budtender role. No patterns were found indicating attempts to access sensitive system directories like ~/.ssh or .env files.
[REMOTE_CODE_EXECUTION] (SAFE): No remote code execution patterns, external script downloads, or dynamic code execution (eval/exec) were identified in the analyzed files.

budtender