The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill's primary function is to create a gateway for untrusted external data (user messages from ChatKit) to be processed by an AI agent.
Ingestion points: The /chatkit/api endpoint in templates/fastapi_main.py and the handle_event function in templates/router.py consume raw JSON from the request body.
Boundary markers: The current templates use basic string interpolation (input=text) without advanced delimiters or explicit "ignore embedded instructions" hardening at the prompt level.
Capability inventory: The examples (examples.md) and architectural guide (reference.md) demonstrate capabilities including file system writes (handle_upload), database lookups (get_employee), and multi-agent orchestration. These capabilities, when combined with untrusted input, create a significant attack surface.
Sanitization: The chatkit-backend/changelog.md file correctly identifies these risks and provides specific security best practices (validating thread ownership, sanitizing file types, and using authentication context) which mitigates some implementation risks but doesn't eliminate the fundamental injection surface.

openai-chatkit-backend-python