The Agent Skills Directory

PROMPT_INJECTION (HIGH): The skill creates an Indirect Prompt Injection surface by interpolating untrusted user requirements into complex workflow configurations. 1. Ingestion points: User requirements are ingested for semantic analysis and template matching in 'references/template_matching.md'. 2. Boundary markers: No delimiters or 'ignore' instructions are used to separate user data from generation logic. 3. Capability inventory: 'references/node_types_reference.md' describes nodes capable of HTTP requests ('httpRequest468'), file reading ('readFiles'), and arbitrary code execution ('code'). 4. Sanitization: The documentation provides no evidence of input validation or escaping before interpolation into the workflow JSON.
DATA_EXFILTRATION (MEDIUM): The 'TEMPLATE_DIR' configuration mentioned in 'templates/README.md' permits the use of external directories. If an attacker influences this path via prompt injection, they could perform path traversal to read sensitive files from the local environment.
COMMAND_EXECUTION (LOW): The skill documentation refers to a local validation script ('node scripts/validate_workflow.js') in 'references/validation_rules.md'. While the script is not included in the provided files, directing users to run scripts on dynamically generated (and potentially injected) JSON represents a secondary risk factor.

fastgpt-workflow-generator