The Agent Skills Directory

[INDIRECT_PROMPT_INJECTION]: The skill's primary function is to ingest content from untrusted external sources (websites and documents) to generate new agent instructions (SKILL.md files). This creates a risk where malicious content within a target document could influence the generated skill's behavior or override its purpose.
Ingestion points: Technical content is ingested via WebFetch and Read tools as defined in references/web-analysis-flow.md and references/document-analysis-flow.md.
Boundary markers: The workflows do not specify delimiters or instructions to ignore embedded malicious prompts within the analyzed technical documentation.
Capability inventory: The skill has file-writing capabilities (creating new skills) and network access (WebSearch/WebFetch), which could be leveraged if an injection is successful.
Sanitization: No explicit text sanitization or validation logic is provided to filter instructions from the source documents before they are processed by the LLM.
[EXTERNAL_DOWNLOADS]: The skill relies on retrieving data from external websites using WebFetch and WebSearch to fulfill its documentation analysis requirements. This is the intended primary purpose of the skill.
[COMMAND_EXECUTION]: The skill provides templates (assets/skill-templates/) and guidelines (references/skill-specs.md) that encourage the creation of skills executing Python scripts and system commands. While the provided scripts/website-analyzer.py is a benign simulation, the generated sub-skills are intended to execute code based on extracted documentation.

skill-factory