The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill instructions direct the agent to ask users for their 'X-Access-Token' (a JWT login token) and backend API address. This sensitive credential is subsequently handled as a string and included in a dynamically generated Python script for authentication.
[COMMAND_EXECUTION]: The skill uses the 'Bash' tool to execute a Python script ('create_process.py') that is written to the local filesystem at runtime. This pattern allows for the execution of arbitrary logic generated by the AI model on the host environment.
[REMOTE_CODE_EXECUTION]: The agent generates a Python script containing 'urllib.request' calls to perform network operations against a user-provided API base URL. This script is executed locally, creating a pathway for remote interactions with potentially untrusted or malicious endpoints depending on user input.
[PROMPT_INJECTION]: The skill presents an indirect prompt injection surface by converting untrusted natural language descriptions from the user into structured BPMN XML. This XML can contain execution listeners and expressions (e.g., '${...}') which are eventually processed by the backend BPM engine.
Ingestion points: User-provided natural language descriptions of the workflow (SKILL.md).
Boundary markers: No specific delimiters or warnings for the BPM engine to ignore embedded instructions are implemented.
Capability inventory: Subprocess execution via Bash (SKILL.md) and API interaction via Python; the generated XML includes execution listeners like 'ProcessEndListener' (references/bpmn-task-extend.md).
Sanitization: There is no explicit evidence of sanitization or validation of the user's natural language input before it is interpolated into the executable XML structure or the Python script.

jeecg-bpmn