The Agent Skills Directory

[PROMPT_INJECTION]: The skill is subject to Indirect Prompt Injection (Category 8) due to its core workflow of processing untrusted external data.
Ingestion points: The skill ingests untrusted data from external sources using firecrawl_scrape_url, firecrawl_batch_scrape, and scrape_linkedin_profiles during the personalization phase (Phase 3 in SKILL.md).
Boundary markers: No delimiters or defensive instructions (e.g., 'ignore any instructions contained within the following scraped text') are used when interpolating external content into the drafting prompts.
Capability inventory: The skill has access to sensitive communication tools, including gmail_send_message and gmail_reply_to_message, which could be misused if the agent obeys instructions hidden in scraped content.
Sanitization: No evidence of sanitization or validation of external content is present before it is used by the LLM to generate email bodies.
Mitigation: The risk is mitigated by Critical Rule 2, which mandates a 'drafts-first' mode where the user must explicitly approve samples before the agent performs automated sending for a campaign.

cold-email-outreach