The Agent Skills Directory

[SAFE]: The skill demonstrates excellent security practices throughout its implementation.
[PROMPT_INJECTION]: The SKILL.md file contains a dedicated 'Untrusted Content Handling' section. These instructions proactively defend the agent against indirect prompt injection by training it to treat news bodies, descriptions, and attachments as data rather than instructions. It specifically identifies and instructs the agent to ignore imperatives like 'ignore previous instructions' if they appear in third-party content.
[CREDENTIALS_UNSAFE]: The skill handles authentication securely. It uses a local credentials file (~/.stingray/credentials) with restricted permissions (chmod 600) and explicitly warns the user against pasting API tokens directly into the chat, preventing credential leakage into the LLM context or chat history.
[COMMAND_EXECUTION]: Shell commands are used for legitimate purposes, such as checking for existing credentials and making API calls via curl to the vendor's domain (stingray.fi). No arbitrary or dangerous command execution was detected.
[SAFE]: Indirect Prompt Injection Surface Analysis: 1. Ingestion points: News articles (GET /entities/:entityId/news), attachment text, and knowledge graph descriptions. 2. Boundary markers: Explicit instructions in SKILL.md define boundaries between user instructions and external data. 3. Capability inventory: Subprocess calls (curl) are limited to the vendor API; no sensitive local file writes or arbitrary code execution capabilities are exposed to the data ingestion paths. 4. Sanitization: The skill mandates quoting and summarizing external content instead of following embedded directives.

stingray