The Agent Skills Directory

[DYNAMIC_EXECUTION]: The references/tool-builder.md file contains a demonstration of a calculator tool implemented using the eval() function on user-controlled input (call.args.expression). This pattern is dangerous as it allows an AI agent to execute arbitrary JavaScript code if it is successfully targeted by a prompt injection attack. \n- [INDIRECT_PROMPT_INJECTION]: The skill outlines patterns for building AI agents that ingest data from external APIs, search results, and tool outputs, which constitutes a significant surface for indirect prompt injection. \n
Ingestion points: Untrusted data enters the agent context via agent.sendMessage inputs, onToolCall arguments (from external apps/webhooks), and onMessage updates (streaming from models). \n
Boundary markers: The provided examples do not implement data delimiting or specific instructions to prevent the agent from following commands embedded within external data. \n
Capability inventory: The agents have extensive capabilities including file system manipulation (references/files.md), network connectivity via webhooks (references/tool-builder.md), and script execution via the SDK's internal tools. \n
Sanitization: There is no evidence of input validation or content sanitization in the example code provided to developers. \n- [DATA_EXPOSURE_AND_EXFILTRATION]: The SDK's support for webhookTool and file uploads to cloud storage (inference.sh) provides a mechanism for data exfiltration if the agent's logic is subverted. Use of readFileSync and writeFileSync on local files (references/agent-patterns.md) without path validation also presents a risk of sensitive data exposure if paths are controlled by the agent. \n- [CREDENTIALS_UNSAFE]: While the SDK provides safe authentication patterns, it handles sensitive API keys. The documentation correctly identifies the risk of exposing keys in frontend code and recommends using server-side proxies and environment variables.

javascript-sdk