The Agent Skills Directory

[PROMPT_INJECTION]: The skill contains a defensive constraint in SKILL.md labeled 'Prompt injection boundary'. This section instructs the agent to treat all repository content as data for analysis rather than instructions, specifically identifying common injection phrases like 'ignore previous instructions' as findings to be reported rather than followed. This is a security best practice.
[DATA_EXFILTRATION]: No network access or data exfiltration mechanisms are present. The skill's operating rules explicitly prohibit changing code, configs, or infrastructure, limiting the agent to producing deterministic reports.
[REMOTE_CODE_EXECUTION]: The skill does not include any remote code execution patterns, external downloads, or package installations. All provided files are markdown or YAML configuration.
[COMMAND_EXECUTION]: No shell commands or subprocess execution patterns were detected. The skill instructions are focused on analysis and reporting rather than environment interaction.
[INDIRECT_PROMPT_INJECTION]: The skill is designed to process external repository data, creating a potential surface for indirect prompt injection. Evidence Chain: 1. Ingestion points: .health-context.yaml and general repository files (referenced in SKILL.md). 2. Boundary markers: Explicit 'Prompt injection boundary' instructions are provided to separate data from instructions. 3. Capability inventory: No capabilities for network access, file-writing, or system modification are present. 4. Sanitization: Relies on logical boundary instructions. Due to the lack of dangerous capabilities, the presence of defensive instructions, and the report-only nature of the skill, the risk is negligible.

health-compliance-review