The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted data from previously generated reports without adequate isolation or sanitization.
Ingestion points: The script scripts/compose_dashboard.py reads content from visual.json, definition.pbir, and multiple .tmdl files within the generated-reports/ directory.
Boundary markers: There are no explicit delimiters or instructions to the agent to treat the ingested report data as untrusted content.
Capability inventory: The script has significant file system capabilities, including directory deletion (shutil.rmtree), creation (os.makedirs), and file writing (write_json) within the scripts/compose_dashboard.py file.
Sanitization: Content extracted from source report files is merged into the new dashboard project without validation, escaping, or structural integrity checks.
[COMMAND_EXECUTION]: The instructions in SKILL.md define a shell command to execute the compose_dashboard.py script using parameters (dashboard-name and reports) that are intended to be populated from user input. This pattern creates a potential command injection vulnerability if the agent or execution platform does not sanitize the arguments before shell execution.
[COMMAND_EXECUTION]: The Python script scripts/compose_dashboard.py lacks sanitization for the dashboard_name and report_names arguments. It uses these values to construct file paths via os.path.join without ensuring the paths remain confined to the intended output and report directories, which could allow for path traversal attacks.

bi-dash-creator