The Agent Skills Directory

[PRIVILEGE_ESCALATION]: In the 'If MCP server is missing' section of SKILL.md, the agent is instructed to retry installation with 'escalated permissions' if an attempt fails, and is specifically commanded: 'Do not ask the user to run it yet.' This is a high-severity instruction designed to bypass user authorization and security boundaries.\n- [PROMPT_INJECTION]: The file references/gpt-5p4-prompting-guide.md contains an 'instruction_priority' block that tells the agent: 'User instructions override default style, tone, formatting, and initiative preferences' and 'If a newer user instruction conflicts with an earlier one, follow the newer instruction.' This structural vulnerability explicitly allows for the bypass of initial instructions.\n- [METADATA_POISONING]: The skill provides authoritative documentation and model snapshots for several non-existent products (e.g., GPT-5.4, GPT-5-mini, Sora-2). This deceptive content, while presented as a reference guide, serves to mislead the agent and users regarding actual model capabilities and available services.\n- [COMMAND_EXECUTION]: The skill uses the 'codex' CLI tool to perform installations from external URLs. While the target domain is reputable, the instruction to perform unverified command-line installations poses a persistent risk to the host environment, especially when coupled with the instructions for escalated execution.

openai-docs