The Agent Skills Directory

[DATA_EXFILTRATION]: The script next_ops_scan.py accepts a user-provided domain and transmits the sensitive NEXT_ADMIN_API_TOKEN in the Authorization header to that domain. While it attempts to normalize inputs to .29next.store, it still allows arbitrary domains, which could be used to exfiltrate the token to an attacker-controlled endpoint.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection.
Ingestion points: Untrusted data is fetched from the Next Commerce API in scripts/next_ops_scan.py (orders and fulfillments).
Boundary markers: None. The results are written to next_ops_scan_summary.md and next_ops_scan_results.csv without delimiters or instructions to the agent to ignore embedded commands.
Capability inventory: The skill has access to Bash, Read, AskUserQuestion, and TodoWrite tools as defined in SKILL.md.
Sanitization: None. Data from the API (such as order reasons or numbers) is interpolated directly into markdown output files without escaping or validation, allowing potentially malicious content in orders to influence the agent when it reads the summary.
[CREDENTIALS_UNSAFE]: The skill requests high-privilege Admin API tokens from the user. While the instructions suggest using environment variables to avoid persistence in files, the handling of these secrets by the script and their transmission over the network poses an inherent risk if the environment or the target domain is compromised.

next-ops-scan