The Agent Skills Directory

[PROMPT_INJECTION]: The skill processes untrusted data from external email subjects and bodies which could contain malicious instructions designed to manipulate the AI agent's behavior.
Ingestion points: graphClient.api('/users/${userId}/mailFolders/inbox/messages') and search/filter operations in SKILL.md.
Boundary markers: No specific delimiters or instructions are implemented to prevent the agent from obeying instructions found within email content.
Capability inventory: The skill possesses significant capabilities including sending mail (sendMail), managing inbox rules (messageRules), and file system interaction (fs.writeFileSync) as seen in SKILL.md.
Sanitization: No sanitization, escaping, or validation of email content is performed before it is processed or presented to the agent.
[COMMAND_EXECUTION]: The code example provided for downloading and saving email attachments is vulnerable to a path traversal attack.
Evidence: In SKILL.md, the line fs.writeFileSync(attachment.name, fileData) uses the attachment.name property directly from the Graph API. An attacker could send an email with a malicious filename (e.g., ../../.bashrc) to overwrite sensitive files if the agent executes this logic without sanitization.

outlook-email