The Agent Skills Directory

[PROMPT_INJECTION]: The skill architecture is vulnerable to indirect prompt injection by design. * Ingestion points: Untrusted data from the user (query) and external sources (observations) is used to populate the decision state in modules/state-builder.md. * Boundary markers: The framework lacks explicit delimiters or instructions to ignore embedded commands when the model performs self-estimation for the Gain and Uncertainty utility components. * Capability inventory: The framework orchestrates high-impact actions including tool_call (arbitrary command execution), retrieve (file and web access), and delegate (spawning sub-agents) as defined in SKILL.md. * Sanitization: There is no evidence of input validation, filtering, or escaping for data entering the utility calculation pipeline, especially when operating in prescriptive mode.

utility