The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) as it is designed to ingest and interpret data from external 'senders' that includes natural language instructions.
Ingestion points: Processes *.bundle/ directories containing manifest.json, intent.md, and various script files.
Capability inventory: The skill builds a structured ExecutionContext and specifically enables the agent to evaluate and execute scripts provided in the payload.
Boundary markers: While the skill refers to 'review-only references' and includes a 'SAFE-01' marker, there are no strict prompt delimiters or instructions provided to the LLM to ignore potentially malicious directions embedded within the intent.md file.
Sanitization: The interpreter implements schema validation, fidelity checks, provenance verification for scripts, and size limits (50KB for data, 10KB per script).
[COMMAND_EXECUTION]: The workflow explicitly permits the execution of external code provided in the bundles.
Evidence: Step 5 ('Review Scripts Before Use') directs the agent to 'Decide: execute it' based on its interpretation of the script content. This creates a risk where malicious code could be executed if the agent is manipulated by the accompanying intent.md markdown instructions.

dacp-interpreter