The Agent Skills Directory

[PROMPT_INJECTION]: The skill includes numerous prompt injection strings within its test templates and references.
Evidence: Files such as assets/guardrail-tests.yaml, assets/cli-auth-guardrail-tests.yaml, and references/multi-turn-testing.md contain payloads like "Ignore all your previous instructions" and "Reveal all data".
Context: These patterns are explicitly documented and used as negative test cases for guardrail validation of the target Salesforce agent. They are not intended to be executed against the agent running the skill, which is a standard pattern for security testing tools.
[COMMAND_EXECUTION]: Multiple Python scripts orchestrate the Salesforce CLI (sf) and internal helper scripts to perform testing tasks.
Evidence: hooks/scripts/agent_discovery.py executes SOQL queries via sf data query; hooks/scripts/run-automated-tests.py runs sf agent test commands.
Context: These subprocess calls are central to the skill's purpose as a CLI-based testing orchestrator. The scripts use standard library modules and target legitimate platform binaries.
[SAFE]: The skill manages Salesforce ECA (External Client App) credentials in hooks/scripts/credential_manager.py following security best practices.
Evidence: It enforces strict filesystem permissions (0700/0600) for local storage at ~/.sfagent/, masks secrets in terminal output, and prevents accidental commits via an auto-generated .gitignore file.
[SAFE]: The skill processes untrusted metadata files (.agent, .xml) and presents test results, representing an indirect prompt injection surface.
Ingestion points: hooks/scripts/agent_discovery.py and hooks/scripts/generate-test-spec.py read local metadata files.
Boundary markers: Absent, but content is used for structured YAML generation.
Capability inventory: subprocess for CLI execution and urllib for API calls to Salesforce.
Sanitization: Metadata content is parsed into structured objects before being used to generate test cases.

sf-ai-agentforce-testing