The Agent Skills Directory

[PROMPT_INJECTION]: The skill documents mechanisms for ingesting untrusted data through workflow payloads, webhooks, and real-time notification endpoints. While the documentation correctly suggests using Zod for schema validation, there is an inherent risk of indirect prompt injection when this data is passed to the AI agents described in agents.md.
Ingestion points: SKILL.md (InitialPayload), features/webhooks.md (webhook request body), and how-to/realtime.md (event notification body).
Boundary markers: None explicitly defined in the provided prompt construction examples.
Capability inventory: The SDK provides context.run (arbitrary logic), context.call (HTTP requests), context.api (direct LLM provider calls), and context.invoke (cross-workflow execution).
Sanitization: Examples include zod for structural validation, but lack patterns for sanitizing natural language content against adversarial instructions.
[REMOTE_CODE_EXECUTION]: The agents.md documentation includes an implementation example for a math tool using mathjs.evaluate(expression) on user-supplied strings. This pattern can lead to arbitrary code execution if the math environment is not properly sandboxed, as the function has access to a wide range of JavaScript capabilities.
[EXTERNAL_DOWNLOADS]: The skill instructions include standard installation of vendor-provided packages and tools, such as @upstash/workflow, @upstash/workflow-agents, and the @upstash/qstash-cli. These are legitimate resources for the SDK's stated purpose.

upstash-workflow-js