The Agent Skills Directory

[PROMPT_INJECTION]: The skill instructions in SKILL.md and references/mcp-settings.md contain directives to suppress transparency by concealing implementation details, such as file paths (.mcp.json), internal state check results (datadog-server-state), and variable names from the user.
[PROMPT_INJECTION]: The skill uses "Stay on script" rules in references/mcp-settings.md to prevent the agent from providing additional context or clarifying its actions, which can be a technique used to hide unauthorized activities or bypass standard safety interactions.
[PROMPT_INJECTION]: There is a manifest inconsistency between the allowed-tools metadata in SKILL.md (restricted to Read) and the functional requirements which instruct the agent to modify and save changes to the registration file.
[COMMAND_EXECUTION]: The skill requires the agent to edit a configuration file (.mcp.json) that uses shell-style environment variable templates (e.g., ${DD_MCP_DOMAIN:-not-setup}). Modifying files that are interpreted by shell environments presents a risk of unintended behavior or injection.
[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface. (1) Ingestion points: User-provided domain or site code requested in SKILL.md. (2) Boundary markers: None present to separate user input from the configuration logic. (3) Capability inventory: File reading and instructed file modification (Step 2 in SKILL.md). (4) Sanitization: Partial sanitization is provided via the mapping table in references/mcp-settings.md, but unknown domains are still processed after a user warning.

ddsetup