The Agent Skills Directory

[Indirect Prompt Injection] (LOW): The skill establishes an attack surface by defining patterns to ingest and process untrusted content from external files. \n- Ingestion points: Metadata fields (name, description, tags) and workflow phases are extracted from untrusted SKILL.md files as described in SKILL.md and references/frontmatter-parsing.md. \n- Boundary markers: There are no defined delimiters or instructions to the agent to isolate extracted text from its own logic, potentially allowing a malicious SKILL.md to override behavior. \n- Capability inventory: Extracted content is consumed by downstream tools in the demo pipeline, such as generate.sh and terminal-demo-generator, which involve script generation and execution. \n- Sanitization: While the Python reference uses yaml.safe_load, the Bash extraction patterns lack sanitization, and there is no evidence of filtering malicious instructions within the extracted text strings.

skill-analyzer