The Agent Skills Directory

[DATA_EXFILTRATION]: The skill is designed to capture and persist metadata about sensitive external resources, including secret stores, database schemas, and authentication methods. While the instructions in references/backend.md explicitly state 'Do NOT record actual secret values', the persistence of access methods (URLs, commands, and MCP names) provides a map of the environment that could be exploited if exfiltrated.
[PROMPT_INJECTION]: The skill exhibits an Indirect Prompt Injection surface (Category 8). It instructs downstream agents to read and trust the docs/project-context/external-resources.md file as a 'Single Source of Truth'.
Ingestion points: The agent reads docs/project-context/external-resources.md and feature-specific identifiers from UI Specs or Design Docs.
Boundary markers: No explicit instructions or delimiters are provided to the agent to treat the content of the generated resources file as untrusted or to ignore embedded instructions within it.
Capability inventory: The skill records 'access methods' which include shell commands and MCP names. Downstream agents are instructed to 'Use the access method declared... to fetch the actual resource content', creating a potential execution path for arbitrary commands defined in the metadata file.
Sanitization: There is no evidence of sanitization or validation of the URLs, commands, or paths provided by the user or read from the file.
[COMMAND_EXECUTION]: The storage protocol allows for the recording of 'commands' as access methods. This creates a risk where a malicious actor who can modify the repository files (e.g., via a Pull Request) could insert a dangerous command into the external-resources.md file, which a downstream agent might execute when attempting to reach an external resource.

external-resource-context