The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection because it retrieves and processes untrusted data from Azure DevOps that could contain malicious instructions.
Ingestion points: Untrusted content enters the agent context via scripts/wiki.py (get-page-content), scripts/work_items.py (get), scripts/repos.py (get-pr), and scripts/pipelines.py (build-logs).
Boundary markers: The skill does not implement delimiters or safety instructions to prevent the agent from interpreting retrieved data as commands.
Capability inventory: The skill possesses extensive capabilities, including executing pipelines (scripts/pipelines.py), modifying work items (scripts/work_items.py), and performing repository operations (scripts/repos.py).
Sanitization: No sanitization or filtering is performed on ingested data before it is returned to the agent.
[DATA_EXFILTRATION]: The scripts/auth.py script includes a token command that prints active session tokens (OAuth or PAT) to standard output. An agent could be manipulated into executing this command and transmitting the exposed credentials to an external service.
[COMMAND_EXECUTION]: The download tool in scripts/attachments.py accepts an arbitrary local file path via the --output parameter. This capability could be abused by a compromised agent to overwrite critical system or configuration files (e.g., .bashrc, .ssh/authorized_keys).

azure-devops