The Agent Skills Directory

[PROMPT_INJECTION]: The skill uses a 'semantic substitution' model where the AI is instructed to interpret directives within templates, such as '# INSTRUCTION:' or '{{describe_...}}'. This creates an indirect prompt injection surface where untrusted template files can override agent behavior.
Ingestion points: Template files (.tmpl) are ingested via the 'read_file' tool.
Boundary markers: The skill uses '{{ }}' delimiters, but content within these markers is intentionally treated as instructions rather than just data.
Capability inventory: The skill utilizes 'read_file' and 'write_file' tools.
Sanitization: No sanitization or validation logic for template-embedded instructions is described.
[REMOTE_CODE_EXECUTION]: The 'SKILL.md' file explicitly documents a 'Template-to-Code Pipeline' where natural language instructions are compiled by the LLM into JavaScript ('_js') or Python ('_py') code. The documentation provides examples of these snippets being executed via the 'eval()' function in the runtime environment, which constitutes a significant dynamic execution risk.
[DATA_EXFILTRATION]: The skill's architecture combines file reading capabilities with instructions that can steer content generation. A malicious template could instruct the agent to read sensitive local files and write their content to an output directory or reachable path using the 'write_file' tool.
[NO_CODE]: The provided skill contains only Markdown and YAML configuration files. No executable scripts (.sh, .py, .js) are included in the distribution, though the documentation references external scripts and generated code as part of its workflow.

empathic-templates