The Agent Skills Directory

[PROMPT_INJECTION]: The skill defines a potential surface for indirect prompt injection by interpolating user input from $ARGUMENTS directly into the prompt without protective delimiters or boundary markers. 1. Ingestion points: User-supplied questions are injected into the agent's instructions in SKILL.md. 2. Boundary markers: No markers such as XML tags or quotes are used to isolate the user input. 3. Capability inventory: The skill's environment is highly restricted via the allowed-tools configuration, which includes Read, Glob, Grep, WebSearch, WebFetch, Agent, and Bash limited strictly to git and ls subcommands. All file-modifying tools are excluded. 4. Sanitization: No input sanitization is performed.
[SAFE]: The use of the allowed-tools field to restrict the execution environment is a key security control that effectively mitigates risks associated with the command execution capabilities by limiting Bash to non-destructive operations.

ask