The Agent Skills Directory

[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface because it ingest and analyzes untrusted code and configuration files from a user's project.
Ingestion points: Reads pom.xml, build.gradle, .java source files, and environment configurations like application.yml and web.xml (SKILL.md).
Boundary markers: There are no explicit instructions to wrap ingested content in delimiters or to ignore potential instructions embedded within comments or strings in the source code.
Capability inventory: The skill has the ability to execute shell commands via a Python scanner and a Java JAR, and it uses a Write tool to save files.
Sanitization: The AI analysis step (Step 5 in SKILL.md) lacks verification or sanitization of the project content, which could allow malicious code comments to influence the final vulnerability report.
[COMMAND_EXECUTION]: The skill uses local command execution to perform its scanning and decompilation tasks.
Executes python3 scripts/scan_dependencies.py to identify library versions and match them against regex patterns in a YAML database.
Provides instructions to run java -jar {CFR_JAR} for decompiling bytecode into source code for further analysis.
[DATA_EXFILTRATION]: The skill accesses sensitive project configuration files that frequently contain credentials or architectural secrets.
Specifically targets application.yml, application.properties, web.xml, and struts.xml for environmental analysis. While no external network exfiltration was found, the systematic aggregation of this data into a single audit report represents an exposure risk if the report is later moved or shared.

java-vuln-scanner