The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection via the PALADIN.md file located in the target repository. This file allows an attacker to control the skill's operational parameters, such as the source of security advisories and the destination for audit reports.
Ingestion points: The agent reads and processes configuration from PALADIN.md and scans all source files within the local repository.
Boundary markers: Absent. The instructions do not define delimiters or provide warnings to the agent to disregard instructions or configuration overrides found within the analyzed data.
Capability inventory: The skill can execute shell commands (git, ripgrep), read arbitrary repository files, query external advisory databases, and transmit data to external platforms like Jira, Linear, or custom API endpoints.
Sanitization: Absent. There is no evidence of validation or sanitization of the configuration values extracted from PALADIN.md.
[DATA_EXFILTRATION]: The skill is designed to transmit potentially sensitive security findings (including code evidence and vulnerability details) to external services like Linear, Jira, or email addresses. While intended for legitimate reporting, this capability can be abused via Indirect Prompt Injection to redirect discovered vulnerabilities or secrets to attacker-controlled endpoints.
[COMMAND_EXECUTION]: The skill utilizes shell commands git status --porcelain and rg --files to perform repository inventory. While these specific commands are standard for repository analysis, they represent an active interaction with the local file system.
[EXTERNAL_DOWNLOADS]: The skill queries external advisory metadata based on evidence found in the repo. If the advisory source list is manipulated via repository configuration, the agent could be directed to interact with untrusted external servers.

paladin-repo-audit