The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted data from the codebase being audited. Malicious instructions hidden in comments, documentation, or string literals within the scanned files could attempt to manipulate the audit results or the generated remediation checklist.
Ingestion points: Phase 1 involves a systematic scan of the entire codebase, including source code, UI templates, and documentation (SKILL.md).
Boundary markers: The instructions do not define boundary markers or delimiters to isolate untrusted file content from the agent's internal reasoning context.
Capability inventory: The skill has read access to the full workspace, the ability to write reports to the local file system (/tmp), and the capability to propose code changes in Phase 3.
Sanitization: No specific sanitization or filtering logic is mentioned for the content retrieved from the files before it is processed by the AI.
[SAFE]: The skill implements a robust "confirm-everything" policy, utilizing the AskUserQuestion tool to obtain explicit user consent before making any code modifications, creating files, or orchestrating other skills.
[SAFE]: The instructions explicitly direct the agent to never embed literal credential values and to reference environment variables instead, which is a key security best practice.
[SAFE]: The external libraries and tools suggested for remediation (such as guardrails-ai, nemo-guardrails, and presidio-analyzer) are well-known, industry-standard packages within the AI safety and privacy ecosystem.
[SAFE]: The skill correctly orchestrates related vendor resources (arize-instrumentation, arize-evaluator, etc.) from the same author to extend its capabilities safely.

arize-compliance-audit