The Agent Skills Directory

[Data Exposure & Exfiltration] (LOW): The skill performs network operations using httpx and requests targeting api.example.com and localhost:3000 (MCP server). These domains are not on the trusted whitelist. Additionally, the fetch_external_data(url) tool in google_adk_tools_example.py accepts an arbitrary URL, which is a potential SSRF (Server-Side Request Forgery) sink if used without proper domain filtering.
[Indirect Prompt Injection] (LOW): The agents ingest untrusted external data from multiple points (API responses, news feeds, content critique) across google_adk_agent_implementation.py and google_adk_tools_example.py.
Ingestion points: fetch_user_data, get_company_news, critique_content.
Boundary markers: Generally absent in the prompt templates.
Capability inventory: High-privilege tools such as send_email and delete_user_account are present.
Sanitization: The send_email_tool demonstrates basic regex validation and HTML tag removal, and the skill explicitly uses ConfirmationMode.ALWAYS to require human approval for high-risk operations, significantly mitigating the risk.
[Remote Code Execution] (SAFE): No execution of remote scripts, piping of web content to shells, or unsafe dynamic evaluation of code was detected.
[Credentials Unsafe] (SAFE): No hardcoded API keys, tokens, or other secrets were found in the examples.

google-adk