The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill downloads an executable JAR file from a remote documentation site.
Evidence: It fetches secure-properties-tool.jar from https://docs.mulesoft.com/mule-runtime/4.4/_attachments/secure-properties-tool.jar.
Context: The download targets the official MuleSoft documentation domain, which is the vendor associated with the skill.
[COMMAND_EXECUTION]: The skill executes a Java-based command using the downloaded JAR to encrypt values.
Evidence: The instruction in SKILL.md (Step 8) uses java -cp to run the encryption tool, passing an algorithm, mode, key, and value as arguments.
Risk: The command interpolates values extracted directly from the project's XML and properties files. The lack of explicit shell escaping for the <value> parameter could potentially allow for command injection if the scanned files contain malicious shell metacharacters.
[PROMPT_INJECTION]: The skill identifies an indirect prompt injection surface as it processes external, potentially untrusted project data.
Ingestion points: Scans XML files in src/main/mule and properties/YAML files in src/main/resources (Step 4).
Boundary markers: No delimiters or specific instructions to ignore embedded prompts are used during the scanning and processing phase.
Capability inventory: Includes the ability to execute shell commands (java), perform network requests (curl, wget), and modify project configuration files (pom.xml, launch.json, .gitignore).
Sanitization: No evidence of sanitization or validation of the extracted data before it is passed to the encryption command or written back to configuration files.

secure-mule-app