The Agent Skills Directory

[PROMPT_INJECTION]: The skill processes untrusted files from the configured vault directory using an agentic workflow, creating a surface for indirect prompt injection where malicious content within a file could attempt to override agent behavior.
Ingestion points: src/core/vault-processing.ts claims and reads files from the vault/ directory for processing.
Boundary markers: Absent. The workflow prompt in src/core/workflow-context.ts provides context but does not use strong delimiters or explicit instructions to ignore commands embedded in the vault files.
Capability inventory: The CodexSdkWorkflowRunner in src/core/codex-workflow.ts enables workspace-write sandbox mode and networkAccessEnabled: true. The agent can execute the tiangong-wiki CLI and other system commands via the provided PATH.
Sanitization: Absent. The system relies on the LLM's own filters to handle untrusted file content.
[REMOTE_CODE_EXECUTION]: The references/vault-to-wiki-instruction.md guide instructs the agent to "attempt to install (e.g., pip install, npm install)" runtime dependencies if a parser skill fails. This instruction could be exploited if malicious file content or environment state tricks the agent into installing unauthorized third-party packages.
[EXTERNAL_DOWNLOADS]: The skill add command and the tiangong-wiki setup wizard facilitate the download and installation of additional agent skills from external sources. While the default source (github.com/anthropics/skills) is a trusted repository, the tool is designed to support arbitrary URLs or local paths provided during operation.
[COMMAND_EXECUTION]: The skill creates a local CLI wrapper script in src/core/workflow-context.ts to allow the agent to execute wiki commands. This wrapper is generated at runtime and placed on the agent's PATH, granting it the capability to perform structured indexing and query operations.

tiangong-wiki-skill