The Agent Skills Directory

[COMMAND_EXECUTION]: The tool definitions in SKILL.md use path traversal sequences (../../scripts/convert.py and ../../scripts/verify_csv.py). This directs the agent to execute scripts outside the skill's designated directory, which is a common technique for accessing or executing unauthorized files on the host system.
[COMMAND_EXECUTION]: The convert.py utility allows for an arbitrary output directory via the --outdir parameter. Since the agent has Write permissions and the path is not restricted to the skill's workspace, this could be exploited to write or overwrite files in sensitive system or user directories.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because its core purpose is to ingest and process untrusted external data (.xlsx and .xls files). The 'Tainted Context Cleanser' logic explicitly instructs the agent to read and analyze the converted CSV content, which could contain malicious instructions designed to hijack the agent's session.
Ingestion points: Processes user-supplied Excel files in scripts/convert.py.
Boundary markers: Absent. There are no instructions for the agent to use protective delimiters or to treat the CSV content as untrusted text.
Capability inventory: The agent has Bash, Read, and Write capabilities, providing a significant impact if a prompt injection is successful.
Sanitization: The conversion process does not sanitize cell content for potential LLM instructions before the agent reads it.

excel-to-csv