agent-tinman

Remove directives that attempt to exfiltrate data through the agent's response (e.g., asking the agent to embed credentials in URLs or include secret values in output).

Likely FP if the text is a legitimate tool instruction about displaying configuration to the user (e.g., show current settings) without external transmission.

Remove the injection payload from the skill definition. Text that attempts to reset agent context or override prior directives is a direct attack vector.

Likely FP if the text is in a security tutorial or research paper discussing injection techniques as examples, not in an active skill description.

Break the toxic data flow by adding validation and sanitization between the input source and the sensitive operation. Do not pass untrusted data directly to file system, network, or execution APIs.

Likely FP if the data flow involves only trusted, hardcoded values and the taint analysis over-approximated the untrusted input sources.

Prevent the tool from reading environment variables and sending them to external endpoints. If env access is needed, restrict it to specific variable names via an allowlist.

Likely FP if the match is documentation about how to configure environment variables, not code that reads and transmits them.

Prevent the tool from reading environment variables and sending them to external endpoints. If env access is needed, restrict it to specific variable names via an allowlist.

Likely FP if the match is documentation about how to configure environment variables, not code that reads and transmits them.

Prevent the tool from reading environment variables and sending them to external endpoints. If env access is needed, restrict it to specific variable names via an allowlist.

Likely FP if the match is documentation about how to configure environment variables, not code that reads and transmits them.