The Agent Skills Directory

[Indirect Prompt Injection] (MEDIUM): The skill possesses a significant attack surface for indirect prompt injection because it is designed to ingest and process untrusted medical records. Ingestion points: Multiple scripts, including extract_clinical_data.py, compliance_checker.py, and terminology_validator.py, read content from external clinical files. Boundary markers: There are no explicit delimiters or instructions to the agent to ignore embedded commands within the processed clinical data. Capability inventory: The skill includes file writing capabilities via generate_report_template.py and produces structured data (JSON/Markdown) that the agent uses for decision-making. Sanitization: No sanitization or filtering of the ingested clinical content is performed before processing or display.
[Data Exposure] (MEDIUM): The skill is specifically designed to extract and manipulate PHI and PII. While no active exfiltration code was found, the regex-based extraction of vitals, demographics, and medications in extract_clinical_data.py facilitates the aggregation of sensitive data, increasing the impact of any potential downstream exfiltration.
[Metadata Discrepancy] (LOW): The README.md references a script check_deidentification.py which is missing from the provided skill files, potentially leading to a false sense of security regarding privacy verification.

clinical-reports