The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it fetches and processes content from arbitrary external URLs provided by users or found in site catalogs.
Ingestion points: The skill uses a web-fetch capability in Phase 2 to read the full text of 10-20 external web pages (SKILL.md).
Boundary markers: There are no explicit instructions or delimiters defined to tell the agent to ignore potentially malicious instructions embedded within the fetched web content.
Capability inventory: While the skill itself has no code, it performs complex analysis and generates structured Markdown output based on the fetched data, which could be influenced by an attacker controlling the source website.
Sanitization: No sanitization or validation of the fetched text is performed before it is processed by the AI agent.
[NO_CODE]: The skill documentation explicitly states that it has no associated code scripts and is executed entirely through agent instructions (SKILL.md, Phase 5). This reduces the risk of traditional malware but focuses the risk on the data ingestion pipeline.

brand-voice-extractor