The Agent Skills Directory

[PROMPT_INJECTION]: The skill employs authoritative and mandatory language to override agent behavior and enforce specific persistent workflows.
The file commands/slack-notifications.md instructs the agent to "follow it exactly as presented to you", which is a directive aimed at bypassing standard behavioral flexibility.
The SKILL.md file defines a "Memory Protocol (MANDATORY)" and uses phrases like "ASSUME INTERRUPTION: If it's not in memory, it didn't happen," forcing the agent to prioritize specific file-based state management over its default reasoning.
[DATA_EXFILTRATION]: The skill provides tools for transferring local data to external endpoints.
The upload-file tool enables the agent to read files from the local filesystem and upload them to Slack channels via curl commands.
While this is the intended functionality of the skill, it represents a data exposure path to an external service (slack.com).
[COMMAND_EXECUTION]: The skill relies on the execution of shell commands through the Bash tool to interact with the Slack API.
Example documentation in SKILL.md demonstrates the use of curl for messaging, channel management, and file uploads.
[PROMPT_INJECTION]: (Indirect) The skill is susceptible to indirect prompt injection due to its handling of untrusted data from the Slack workspace.
Ingestion points: The channel-history tool reads arbitrary message content from Slack channels into the agent's context (SKILL.md).
Boundary markers: There are no instructions provided to delimit or wrap the ingested channel history, nor are there warnings to the agent to ignore embedded instructions within that history.
Capability inventory: The agent has high-impact capabilities, including the Bash tool (via curl), WebFetch, and the ability to post messages and upload files back to the workspace.
Sanitization: No evidence of sanitization, filtering, or validation is present for the data retrieved from conversations.history or files.list.

slack-notifications