The Agent Skills Directory

[INDIRECT_PROMPT_INJECTION]: The skill processes untrusted input in the form of customer consultation records. This presents a surface for indirect prompt injection if malicious instructions are embedded in the consultation text.
Ingestion points: Processes document paths and pasted text as described in SKILL.md and intake-checklist.md.
Boundary markers: The skill relies on natural language instructions for extraction but does not define explicit technical delimiters (e.g., XML tags) for the input data.
Capability inventory: Performs file-read and file-write operations within the source directory.
Sanitization: Includes extensive rules for PII desensitization (redacting names, addresses, and entities) in references/output-template.md and SKILL.md.
[COMMAND_EXECUTION]: The skill defines complex logic for directory traversal and batch processing of files (scanning, filtering by extension, and recursive searching) as outlined in references/batch-processing-rules.md. While these are high-capability operations, they are explicitly limited to standard text formats (.md, .txt) and are core to the skill's stated purpose of document management.
[DATA_EXFILTRATION]: There are no network operations, external API calls, or hardcoded credentials detected. Data processing is localized to the user's file system, and output is saved in the same directory as the source files.

legal-qa-extractor