The Agent Skills Directory

PROMPT_INJECTION (LOW): Identified an indirect prompt injection surface where external document content is ingested and processed to drive file system operations.
Ingestion points: Reads content from .docstore/extracted/<id>/raw.md and .docstore/extracted/<id>/meta.yaml (File: SKILL.md, Step 1).
Boundary markers: Absent. The skill does not use delimiters or instructions to ignore embedded commands within the raw.md content during the transformation step.
Capability inventory: Access to Bash, Write, Edit, and Read tools allows for significant file system modification and command execution.
Sanitization: Absent. There is no evidence of content validation or escaping before the data is used to generate new files or structure headers.
COMMAND_EXECUTION (LOW): The skill is granted the Bash tool (File: SKILL.md, frontmatter). While the workflow describes standard file operations, the presence of a shell tool combined with the processing of untrusted markdown files creates a risk path for command injection if an attacker can craft a raw.md file that influences the agent's logic.

doc-integrate