The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill is designed to read sensitive information including API keys and service role tokens from a specific local configuration file at /Users/martinpammesberger/.agents/config/blog-credentials.env.
[DATA_EXFILTRATION]: After retrieving local credentials, the skill transmits them to an external Supabase instance via curl commands, creating a pathway for sensitive data to leave the local environment.
[COMMAND_EXECUTION]: The skill uses python3 -c to generate and execute code at runtime. This script is built using variables derived from external WebSearch results, which could be manipulated to perform unauthorized actions if the source content is malicious.
[PROMPT_INJECTION]: The instructions explicitly command the agent to bypass standard safety protocols by operating with full autonomy ('Run fully autonomously. Do not ask for confirmation between steps.'), which significantly reduces user oversight of its high-risk actions.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data from the web and processes it through a pipeline involving code execution and network requests without sanitization or boundary markers.
Ingestion points: WebSearch results used to determine the topic, titles, and content of the blog post.
Boundary markers: None identified in the instructions.
Capability inventory: Uses python3 for script execution and curl for network POST requests to external APIs.
Sanitization: No evidence of input validation or escaping for the data retrieved from the web before it is interpolated into scripts or payloads.

blog-ki-linz