The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) due to its extensive data ingestion and profiling workflow.
Ingestion points: The skill is instructed to perform "Deep Research" using tools like WebSearch and WebFetch to ingest content from external websites, LinkedIn profiles, and regulatory filings. It also reads potentially attacker-controllable internal data such as incoming email threads and Slack messages via MCP connectors (references/context-intake.md).
Boundary markers: The instructions do not specify the use of delimiters, XML tags, or "ignore instructions" wrappers to isolate this external data from the agent's core system prompt.
Capability inventory: The skill has access to a wide range of powerful tools including Read, Write, WebFetch, WebSearch, and the ability to spawn sub-agents (SKILL.md, references/memory.md).
Sanitization: There is no mention of sanitizing, validating, or filtering the content retrieved from external sources before it is processed by the agent.
[DATA_EXFILTRATION]: While no direct exfiltration to malicious domains was detected, the skill is designed to extract sensitive information (salary bands, negotiation mandates, internal CRM notes) from private sources and store them in local files (numbers.md, context.md). Users should be aware that the agent handles high-value data during the stakeholder profiling phase.

influence-and-negotiation