The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: Documentation and reference files (such as 'references/agent-patterns.md' and 'references/tool-builder.md') include examples that use the 'eval()' function to process math expressions or code generated by the AI. This pattern is vulnerable to prompt injection, where an attacker could manipulate the model to produce malicious code that is then executed by the 'eval()' statement.
[COMMAND_EXECUTION]: The 'SKILL.md' configuration explicitly permits the agent to use Bash tools including 'npm', 'npx', 'node', 'pnpm', and 'yarn'. Additionally, the 'internalTools' API supports a 'codeExecution' capability, granting the agent significant privileges to execute arbitrary commands and scripts in the environment.
[EXTERNAL_DOWNLOADS]: The skill facilitates downloading configuration and logic from remote URLs via the 'skills' property and supports the installation of external NPM packages. It also interacts with various external APIs through the 'webhookTool' and 'fetch' operations.
[PROMPT_INJECTION]: The skill presents an attack surface for indirect prompt injection. 1. Ingestion points: Data enters via 'agent.sendMessage', 'uploadFile', and remote 'skills' URLs. 2. Boundary markers: While 'system_prompt' is used, there are no explicit delimiters or 'ignore' instructions for interpolated external data. 3. Capability inventory: The skill has access to Bash command execution, 'eval()', and network/file system operations. 4. Sanitization: No explicit validation or sanitization of external content is demonstrated in the provided examples.
[CREDENTIALS_UNSAFE]: Several code snippets in the documentation and references use hardcoded placeholder strings for API keys (e.g., 'inf_your_key'). While intended as examples, these may lead to accidental credential exposure if not properly managed using environment variables or secret managers by the end-user.

javascript-sdk