The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill installs the package 'graphifyy' from PyPI. This name (with a double 'y') is inconsistent with the repository name 'graphify' and the imported module name 'graphify' used in the same script, which is a common indicator of a potential typosquatting or supply chain risk.
[REMOTE_CODE_EXECUTION]: The skill downloads and installs an external Python package and subsequently executes it using 'python -m graphify', allowing for the execution of third-party code.
[COMMAND_EXECUTION]: The installation script utilizes the '--break-system-packages' flag with pip, which forces installation into the system Python environment, potentially bypassing environment protections.
[COMMAND_EXECUTION]: Subsequent steps execute commands using a path dynamically read from a local file ('$(cat graphify-out/.graphify_python)'). This mechanism can be exploited if an attacker gains the ability to modify the contents of that file.
[DATA_EXFILTRATION]: The skill provides a command to fetch content from arbitrary URLs ('/graphify add '), which could be misused for server-side request forgery (SSRF) or to bring malicious data into the environment.
[PROMPT_INJECTION]: The skill possesses a surface for Indirect Prompt Injection (Category 8).
Ingestion points: It reads and processes arbitrary user-provided folders containing code, documents, and images.
Boundary markers: No specific delimiters or safety instructions are provided to the agent for handling the data extracted from these files.
Capability inventory: The skill has access to powerful tools including 'Bash' and 'Write'.
Sanitization: There is no evidence of sanitization or filtering of the content being indexed into the knowledge graph.

graphify