The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill possesses a high-risk capability tier where it ingests untrusted external data and has write/execute permissions.
Ingestion points: Messages are retrieved via https://discord.com/api/v10/channels/<your-channel-id>/messages in SKILL.md.
Boundary markers: No delimiters or instructions are provided to the agent to treat Discord message content as untrusted or to ignore embedded instructions.
Capability inventory: The skill can execute side-effect actions including DELETE messages, POST new messages, POST webhooks, and POST channel creations.
Sanitization: No evidence of sanitization or validation of the message content before the agent processes it.
Command Execution (MEDIUM): The skill relies on bash -c wrappers for nearly all operations.
Evidence: Multiple examples use bash -c 'curl ... ${DISCORD_BOT_TOKEN}'. While intended to address environment variable scoping, this pattern encourages the agent to execute shell commands that could be manipulated if input IDs or JSON payloads are not strictly validated.
Data Exposure (LOW): The skill manages a sensitive DISCORD_BOT_TOKEN.
Evidence: It correctly identifies the token as a secret in vm0_secrets, but the use of bash -c to interpolate the secret into a shell command increases the risk of the secret appearing in process lists or logs depending on the environment configuration.

discord