The Agent Skills Directory

PROMPT_INJECTION (HIGH): Indirect Prompt Injection Surface. The skill is designed to process untrusted external data (e.g., code snippets, user queries) and feed it directly into LLM prompts without sanitization or proper boundary markers.
Ingestion points: The content parameter in scripts/callback-handler.py (analyze_with_langchain) and scripts/observe-decorator.py (analyze_content).
Boundary markers: Absent. Input is concatenated using f-strings or simple labels like 'Analyze this code: {content}', which is easily bypassed by adversarial content.
Capability inventory: The skill instruments calls to highly capable models (claude-sonnet-4-5-20251101) often used in 'security auditor' or 'architect' roles, which typically have downstream influence on code merging or system configuration.
Sanitization: No escaping or validation is performed on the input string before interpolation.
EXTERNAL_DOWNLOADS (LOW): The skill relies on external libraries including langfuse, langchain-anthropic, and langgraph. While these are standard industry tools, they represent an external dependency chain that must be managed. (Downgraded to LOW per [TRUST-SCOPE-RULE] as the usage patterns are standard).
REMOTE_CODE_EXECUTION (MEDIUM): The 'Prompt Management' feature (references/prompt-management.md) allows the agent to fetch instructions from a remote Langfuse API. This 'Prompts-as-a-Service' pattern creates a risk where a compromised observability platform could inject malicious system instructions into the agent's workflow.

langfuse-observability