The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill documents the creation of agents and workflows that ingest untrusted data from multiple external sources without providing guidance on sanitization or boundary markers.
Ingestion Points: Untrusted data enters the agent context via context.requestPayload (basics/serve.md), context.waitForWebhook (features/webhooks.md), and context.waitForEvent (features/wait-for-event.md).
Boundary Markers: Absent. The examples show direct interpolation of external data into prompts and logic.
Capability Inventory: The workflows possess high-impact capabilities including arbitrary network requests (context.call), code execution (context.run), and LLM/API orchestration (context.api).
Sanitization: No sanitization or validation techniques for external content are demonstrated or recommended.
[Command Execution / RCE] (HIGH): The documentation provides multiple examples of using mathjs.evaluate(expression) within agent tools.
Evidence: Found in agents.md in the mathTool and workflowMath definitions.
Risk: If the expression is sourced from an LLM tool call (which is the intended use case) or an external payload, it could lead to arbitrary code execution or sandbox escapes depending on the mathjs configuration, which is not hardened in the examples.
[External Downloads] (MEDIUM): The skill requires the installation of multiple Node.js packages and the use of external CLI tools that are not from the pre-approved trusted list.
Evidence: npm install @upstash/workflow, npm install @upstash/workflow-agents, and npx @upstash/qstash-cli are referenced in SKILL.md and how-to/local-dev.md.
Note: While Upstash is a reputable provider, it does not fall within the [TRUST-SCOPE-RULE] for automatic downgrade to LOW/INFO.

upstash/workflow TypeScript SDK Skill