The Agent Skills Directory

[PROMPT_INJECTION]: Indirect Prompt Injection Surface. The skill performs deep scans of codebase files, including source code, configuration files, and CI/CD scripts, to identify security properties. This ingestion of untrusted data from the project filesystem into the agent's context presents a surface where malicious instructions could be embedded in the code to influence agent behavior.
Ingestion points: Project files in directories such as src/, config/, and environment files like .env as specified in the audit workflow and the security-properties.md reference.
Boundary markers: The instructions do not include specific delimiters or guidelines for the agent to differentiate between file content and its own instructional context during the scan.
Capability inventory: The skill has access to the Bash tool, filesystem read capabilities, and several Lenses MCP tools that can interact with live Kafka environments.
Sanitization: There is no requirement or implementation of sanitization or filtering for the file contents before they are processed by the agent.
[DATA_EXFILTRATION]: Sensitive Data Exposure. The skill is designed to locate and report on sensitive information including Kafka authentication secrets, JAAS configurations, and hardcoded credentials in environment files. While this is the intended purpose for an audit tool, it necessitates that the agent interact with and potentially expose highly sensitive credentials.
[COMMAND_EXECUTION]: Shell Command Capability. The skill utilizes the Bash tool to facilitate codebase scanning and property auditing. Although this tool is explicitly permitted in the skill's configuration, it provides a powerful interface for system interaction that could be abused if the agent's logic is manipulated by malicious content found during a scan.

kafka-security-audit