The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructions in references/workflows/compliance-check-workflow.md explicitly direct the agent to execute a shell command: curl -L --fail "<csv_url>". Since the csv_url is provided by the user at runtime, this pattern is highly susceptible to command injection if the input is not strictly sanitized by the execution environment.
[EXTERNAL_DOWNLOADS]: The workflow requires downloading a roster from an arbitrary external URL provided in the prompt. This can be used to bypass network restrictions or interact with internal services (SSRF) via the agent's environment.
[PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8).
Ingestion points: Data is ingested from a remote CSV file specified by the csv_url variable in references/workflows/compliance-check-workflow.md.
Boundary markers: There are no instructions to use delimiters or ignore instructions embedded within the CSV cell values.
Capability inventory: The skill has access to clockwork mcp (timer data), Calendar MCP (leave status), Jira MCP (task data), and local shell tools (curl, python, awk).
Sanitization: While the workflow mentions validating the schema (checking for accountId and displayName), it does not perform any sanitization of the text content to prevent the LLM from obeying instructions hidden within the data fields.

clockwork-compliance-check