The Agent Skills Directory

[PERSISTENCE_MECHANISMS]: The skill provides instructions for the agent to modify user shell configuration files (~/.bashrc or ~/.zshrc) to store the KARMA_API_KEY environment variable. This allows the credential and configuration to persist across different shell sessions, which is a classic persistence mechanism.
[INDIRECT_PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) as it retrieves application details and program data from an external API (gapapi.karmahq.xyz). 1. Ingestion points: Data is retrieved from various endpoints including /v2/funding-applications/ and /v2/applications/{ref}/comments. 2. Boundary markers: The skill does not implement boundary markers or instructions to the agent to ignore embedded instructions in the fetched data. 3. Capability inventory: The skill has the capability to execute shell commands (curl) and modify local configuration files. 4. Sanitization: There is no evidence of sanitization performed on the retrieved data before it is processed by the agent.
[DATA_EXPOSURE_AND_EXFILTRATION]: The skill encourages the storage of an API key in plaintext within shell configuration files, which exposes the credential to any process or user with read access to the local filesystem.
[COMMAND_EXECUTION]: The skill makes extensive use of the curl command to interact with the Karma API, interpolating user-provided data such as application reference numbers and program IDs into the shell commands.

funding-program-manager