The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill handles untrusted local data (source directories) and possesses high-privilege capabilities including network access and cloud write operations.
Ingestion points: Files and directory structures in paths like slides/ or user-specified directories are read by the agent.
Boundary markers: No explicit delimiters or instructions are provided to the agent to ignore potential malicious instructions embedded within the files being uploaded.
Capability inventory: The skill uses uv run to execute generated Python scripts and boto3 to perform network uploads to S3.
Sanitization: There is no evidence of sanitizing file names or content before they are used in script generation or uploaded to the cloud.
Dynamic Execution (MEDIUM): The skill instructions explicitly direct the agent to 'Create a Python script using boto3' and then execute it via uv run.
Evidence: The workflow involves runtime script generation followed by execution, which can be exploited if the agent interpolates unsafely handled file names or metadata into the generated script code.
Data Exposure & Exfiltration (LOW): The skill requires sensitive cloud credentials (S3_ACCESS_KEY_ID, S3_SECRET_ACCESS_KEY). While necessary for the stated purpose, the use of these keys in dynamically generated scripts creates a risk of accidental exposure in logs or exfiltration if the target bucket is controlled by an attacker.
External Downloads (LOW): The skill installs uv via Homebrew and requires the boto3 Python package.
Trust Status: These are trusted sources/packages, downgrading this specific finding to LOW per [TRUST-SCOPE-RULE].

s3