The Agent Skills Directory

[PROMPT_INJECTION]: Behavioral Override Instructions. The SKILL.md file employs high-pressure language (e.g., "MANDATORY SKILL INVOCATION", "YOU MUST invoke", "Failure... violates your operational requirements") designed to force the agent to use the skill regardless of context, which is a tactic used to bypass safety protocols.
[PRIVILEGE_ESCALATION]: Arbitrary File Write Vulnerability. The download command in scripts/paperless-api.sh allows an --output parameter without restriction. This could be abused to overwrite sensitive system files, configuration files (like shell profiles), or SSH authorized_keys if the agent is manipulated into specifying a malicious path.
[INDIRECT_PROMPT_INJECTION]: Ingestion of Untrusted Data Surface. 1. Ingestion points: Document content and metadata are fetched via scripts/paperless-api.sh and scripts/tag-api.sh and passed to the agent. 2. Boundary markers: No delimiters or instructions are provided to help the agent distinguish between data and potential commands within documents. 3. Capability inventory: The skill provides access to shell execution (bash), network requests (curl), and file write capabilities. 4. Sanitization: There is no evidence of validation or sanitization of the document content retrieved from the API before it is processed by the agent.

paperless-ngx