The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill implements a research pipeline that ingests untrusted external data and processes it with high-privilege tools.
Ingestion points: Untrusted data enters the system through the web_search (via subagents) and fetch_url tools.
Boundary markers: Absent. The instructions do not define any delimiters or system-level instructions to ignore embedded commands within the research findings files (e.g., findings_[subtopic].md).
Capability inventory: The main agent and subagents have access to write_file, read_file, list_files, and task (subagent spawning). This combination allows an attacker-controlled web page to write malicious instructions that the main agent may execute when 'synthesizing' findings.
Sanitization: Absent. There is no requirement for the agent to filter, escape, or validate the content of the files generated by subagents before reading them back into the context.
Data Exposure & Exfiltration Risk (MEDIUM): Due to the lack of boundaries, a poisoned research finding could instruct the main agent to use its read_file capability to access sensitive local files (e.g., .env, ~/.ssh/config) and include their contents in the final 'synthesized' report or send them to an external URL via fetch_url.

web-research