The Agent Skills Directory

[PROMPT_INJECTION]: The skill documentation in SKILL.md and references/workflows.md contains multiple examples of prompt injection payloads (e.g., 'Ignore previous instructions', 'Act as if', 'Override system prompt'). These strings are intended as search patterns for the auditor but risk being misinterpreted as active instructions by the LLM.
[REMOTE_CODE_EXECUTION]: SKILL.md includes strings representing malicious execution patterns (e.g., curl|bash, python -c \"$(curl...)\") within its audit checklist. While these are for pattern matching, they are flagged by automated scanners as potential RCE vectors.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted third-party skill files.
Ingestion points: Functions such as scan_prompt_injection and extract_code_blocks in references/tools.md receive external text content for analysis.
Boundary markers: There are no explicit instructions or delimiters defined to ensure the agent treats audited content strictly as data, increasing the risk that the agent may follow instructions embedded in the analyzed files.
Capability inventory: The skill utilizes system tools like grep and sha256sum (declared in SKILL.md metadata) and performs URL safety checks, providing a pathway for malicious data to influence system operations.
Sanitization: The analysis logic does not specify any sanitization or escaping of the untrusted inputs before they are evaluated by the agent.

skill-security-auditor