The Agent Skills Directory

Indirect Prompt Injection (HIGH): The 'Client Tools' architecture enables a critical vulnerability surface where external clients provide tool definitions that are directly merged into the LLM's system-level context. • Ingestion points: The tools array in the RunAgentInput object (agui-protocol.md) and the state.client?.tools property in the LangGraph adapter (adapter-langgraph.md). • Boundary markers: Absent; client-provided tool metadata is combined with server-side tools without any isolation or 'ignore embedded instructions' markers. • Capability inventory: The AI agent can be induced to call these client-defined tools, potentially hijacking the logic flow or exfiltrating data via tool arguments. • Sanitization: Absent; the framework lacks server-side validation or filtering for the client-supplied tool names, descriptions, or JSON schemas.
Privilege Escalation (HIGH): The documentation for CloudBaseSaver in 'Production' environments (adapter-langgraph.md) shows identity extraction from an Authorization header's JWT payload using atob without signature verification. This allows an attacker to forge a token with an arbitrary sub claim to impersonate other users and access their private conversation history or state.
External Downloads (MEDIUM): The skill requires the installation of several packages from the @cloudbase and @ag-ui scopes (e.g., @cloudbase/agent-server, @ag-ui/client). These providers are not on the predefined list of trusted organizations and require independent verification.
Credentials Unsafe (LOW): Example code in server-quickstart.md demonstrates an observability configuration with a hardcoded placeholder for a 'Basic' authorization header. While it is a placeholder, this pattern promotes insecure credential management practices instead of using environment variables.

cloudbase-agent-ts