The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill ingests untrusted investment reports (path_to_report.md) which serve as the primary context for the adversarial debate. There are no boundary markers or instructions to ignore embedded commands, allowing a malicious report to hijack the personas of Buffett, Wood, or Druckenmiller to force a specific investment outcome.
Ingestion Point: run_committee.py reads external Markdown files.
Boundary Markers: Absent in SKILL.md and persona files.
Capability Inventory: Agent can perform multi-round reasoning, influence financial decisions, and call write_to_file to save outcomes.
Sanitization: None detected.
Dynamic Execution / HTML Injection (HIGH): The scripts/md_to_pdf.py script converts user-provided Markdown to HTML and renders it using playwright.pdf(). Since the Markdown content is untrusted and passed directly into the HTML body without sanitization, an attacker can embed malicious HTML/JS (e.g., <script>, <iframe>) to perform Local File Inclusion (LFI) or execute code within the headless browser context.
Command Execution (MEDIUM): The skill requires running local Python scripts (run_committee.py, md_to_pdf.py) that perform filesystem operations and network requests via yfinance and the Gemini API. While the logic appears functional, the execution of these scripts on untrusted input files poses a risk if the environment is not isolated.

investment-committee