The Agent Skills Directory

[PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection (Category 8) as it is designed to ingest and process data from untrusted workflow files and project configurations.
Ingestion points: The agent is instructed to read and analyze .xaml and .cs workflow files, as well as project.json and .metadata files, which may contain instructions from external sources.
Boundary markers: The instructions do not provide explicit delimiters or "ignore embedded instructions" warnings for the content being processed.
Capability inventory: The skill has significant capabilities, including executing code (uip rpa run), debugging (uip rpa debug start), and installing dependencies (uip rpa packages install), which could be leveraged if an injection is successful.
Sanitization: There is no documented mechanism for sanitizing or filtering instructions that might be embedded in the code comments or metadata of the processed files.
[COMMAND_EXECUTION]: The skill allows the AI agent to execute automation workflows on the local system using the uip rpa run and uip rpa debug start commands as detailed in references/cli-reference.md. This is a primary capability of the skill.
[DATA_EXFILTRATION]: The skill documentation includes activities and APIs capable of performing network requests, such as NetHttpRequest in references/activity-docs/UiPath.Web.Activities/2.5/activities/NetHttpRequest.md. While these are intended for legitimate API integrations, they represent a potential vector for data exfiltration if the agent is directed to send sensitive data to an external endpoint.

uipath-rpa