The Agent Skills Directory

[INDIRECT_PROMPT_INJECTION]: The skill is designed to ingest and process data from external Power Automate environments, including flow definitions, error logs, and maker metadata. This data is untrusted and could be used to host indirect prompt injection attacks where malicious instructions are embedded in flow names or descriptions.
Ingestion points: Data is ingested via get_store_flow (flow definitions and metadata) and get_store_flow_errors (run error strings and remediation hints) as described in SKILL.md.
Boundary markers: The instructions do not specify the use of delimiters or boundary markers to isolate external data from the agent's instructions.
Capability inventory: The skill possesses write capabilities through tools like update_store_flow (modifying governance metadata) and set_store_flow_state (enabling/disabling flows), which could be targets of an injection attack.
Sanitization: No explicit sanitization or validation of the ingested external content is mentioned in the logic.
[DYNAMIC_EXECUTION]: The skill provides instructions for parsing JSON strings returned by the API (e.g., json.loads(record["runError"])). This is a standard and safe data-handling practice for the intended use case.

flowstudio-power-automate-monitoring