The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection via the change_request database field. (1) Ingestion point: Natural language data is retrieved from the change_request column of the email_drafts table via the Supabase MCP tool in SKILL.md. (2) Boundary markers: There are no delimiters or specific instructions to treat this data as untrusted content. (3) Capability inventory: The agent has access to mcp__plugin_supabase_supabase__execute_sql, providing a direct path to database modification (UPDATE/DELETE). (4) Sanitization: The skill explicitly instructs the agent to follow custom instructions literally, which prioritizes untrusted external data over safety constraints.
[DATA_EXFILTRATION]: The skill directs the agent to read the sensitive .env file to extract a Notification Service Admin Token. While the .env path is classified as sensitive, the access is used for authenticating with the vendor's (psquared-development) own infrastructure.

refine-email-drafts