The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill's architecture creates a significant attack surface for indirect prompt injection. It retrieves data from potentially attacker-controlled sources (web search results via Tavily and vector database documents) and uses this content to influence its internal logic flow.
Ingestion points: The web_search function in SKILL.md and adaptive_retrieve in references/self-rag.md ingest untrusted content from the web and external databases.
Boundary markers: The generate node in SKILL.md concatenates document content with simple numeric indices (e.g., [1] doc...) and newlines, lacking robust delimiters or 'ignore' instructions to prevent the model from obeying commands embedded within the documents.
Capability inventory: The skill executes network searches (tavily_client.search) and performs 'self-correcting' logic (routing, query rewriting, and document grading) based on the ingested data.
Sanitization: No sanitization or filtering logic is present for retrieved text before it is interpolated into LLM prompts for grading or generation.
Network Operation (LOW): The skill performs outbound network requests to tavily.com via the tavily_client. While this is consistent with the stated purpose (web fallback), the domain is not on the standard whitelist for trusted data destinations.
Metadata Anomalies (MEDIUM): The SKILL.md file references a future version of LangGraph (1.0.6, Jan 2026), which suggests the instructions may be generated or include hallucinated metadata intended to simulate authority or specific environment requirements.

agentic-rag-patterns