The Agent Skills Directory

[Dynamic Execution] (CRITICAL): File templates/react-agent.ts uses eval() in the calculate tool of the mathProblemSolver example. This allows arbitrary code execution because the input to eval() is generated by the LLM based on user-provided tasks. The code comment claiming it is 'Safe eval using Function constructor' is misleading as it uses the raw eval() function.
[Indirect Prompt Injection] (HIGH): The reactAgent function in templates/react-agent.ts is vulnerable to indirect prompt injection.
Ingestion points: Ingests untrusted data through the task parameter (line 53) and via result.toolResults (line 152).
Boundary markers: Relies on weak natural language delimiters (THOUGHT, ACTION, OBSERVATION) without strict escaping or instruction isolation.
Capability inventory: The skill has access to powerful system tools (Bash, Write, Read) and a tool with eval() capabilities.
Sanitization: No input sanitization or output validation is implemented for external data processed by the agent.
[Command Execution] (HIGH): The allowed tools in SKILL.md include Bash, Write, and Read. When combined with the high-risk injection surface in the reactAgent pattern, an attacker can manipulate the agent into executing arbitrary shell commands or modifying system files.
[Unverifiable Dependencies] (MEDIUM): The SKILL.md file references multiple templates (multi-agent-system.ts, workflow-orchestrator.ts, etc.) and a validation script (scripts/validate-agent.sh) that are missing from the provided skill package and cannot be audited.

agent-workflow-patterns