The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes audit log data from external sources (Datadog Audit Trail) which can contain attacker-controlled content.
Ingestion points: Data enters the context via pup audit-logs search commands in SKILL.md, ai-activity-audit/SKILL.md, security-investigation/SKILL.md, key-compromise/SKILL.md, and compliance-report/SKILL.md.
Boundary markers: Absent. The instructions do not provide delimiters or warnings to ignore embedded instructions within the log data.
Capability inventory: The skill executes shell commands (pup, curl, jq), performs network operations to external APIs, and has the capability to delete API keys (pup api-keys delete).
Sanitization: Absent. There is no evidence of filtering or escaping external content before interpolation into the agent's context.
[COMMAND_EXECUTION]: The skill relies on shell command execution for its core functionality.
Evidence: Multiple bash snippets across all sub-skills using pup, curl, and jq. This includes potentially destructive operations like pup api-keys delete for key compromise remediation.
[DATA_EXFILTRATION]: The skill transmits sensitive authentication tokens (DD_API_KEY, DD_APP_KEY) via curl to an endpoint constructed from the DD_SITE environment variable. While the default is an official service, the use of a variable for the domain allows for potential redirection if the agent is manipulated into changing its value.
Evidence: curl -s -G "https://api.${DD_SITE}/api/v2/usage/hourly_usage" in cost-spike-investigation/SKILL.md.

dd-audit