The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection because it is designed to ingest and analyze untrusted third-party codebase files, including source code and infrastructure templates.
Ingestion points: Infrastructure and application architecture discovery steps in SKILL.md involve reading local files such as CDK, Terraform, and application source code.
Boundary markers: The skill does not implement explicit delimiters or instruction-isolation techniques to prevent the agent from obeying commands embedded within the audited code's comments or data.
Capability inventory: Across its scripts, the agent possesses the capability to read files, summarize contents, generate PlantUML diagrams, and produce prioritized remediation reports.
Sanitization: No explicit sanitization or filtering of the audited content is defined in the instructions.
[PROMPT_INJECTION]: The skill's reference corpus (e.g., references/lenses/responsible-ai/RAIBR02.md) contains descriptive content regarding prompt injection attacks as part of the Responsible AI framework. While intended for guidance, there is a minor risk that the model may interpret these educational examples (e.g., "ignore previous instructions") as active commands if encountered during the evaluation process.
[COMMAND_EXECUTION]: The skill's requirement to "examine" complex infrastructure-as-code like AWS CDK (TypeScript, Python, etc.) or Terraform in Step 2 often necessitates the use of synthesis or planning tools to resolve resource identities. If the agent utilizes its shell access to run commands like npm install, cdk synth, or terraform plan on a malicious project, it could lead to arbitrary code execution within the agent's environment.

wa-review