MUST be used whenever building a chat UI with Atlas agents in a Flows app. Do NOT manually write useAtlasChat integration code — this skill handles installation, component structure, and hook wiring. Triggers: useAtlasChat, atlas chat, streaming chat, agent chat, chat interface, chat component, chat UI. For a full chat app, run skills in order: (1) integrate-atlas-chat, (2) create-client-tool (per tool), (3) setup-python-tools (if Python tools needed).
64
—
Does it follow best practices?
Impact
—
No eval scenarios have been run
Critical
Do not install without reviewing
Security
4 findings — 1 critical severity, 1 high severity, 2 medium severity. Installing this skill is not recommended: please review these findings carefully if you do intend to do so.
Detected high-risk code patterns in the skill content — including its prompts, tool definitions, and resources — such as data exfiltration, backdoors, remote code execution, credential theft, system compromise, supply chain attacks, and obfuscation techniques.
Malicious code pattern detected (high risk: 1.00). The code intentionally executes server-provided Python inside a browser Pyodide runtime while injecting COGNITE_TOKEN and enabling HTTP (pyodide_http + micropip), creating a clear remote-code-execution vector that can be used to exfiltrate credentials or data and to install untrusted packages — a high-risk backdoor/exfiltration capability.
The skill handles credentials insecurely by requiring the agent to include secret values verbatim in its generated output. This exposes credentials in the agent’s context and conversation history, creating a risk of data exfiltration.
Insecure credential handling detected (high risk: 0.80). The prompt supplies an "Agent external ID" placeholder that the agent is expected to embed into the integration (code/config), which would require outputting the secret identifier verbatim and thus risks credential exfiltration.
The skill exposes the agent to untrusted, user-generated content from public third-party sources, creating a risk of indirect prompt injection. This includes browsing arbitrary URLs, reading social media posts or forum comments, and analyzing content from unknown websites.
Third-party content exposure detected (high risk: 0.85). The runtime path `useAtlasChat` → `AtlasSession.send` → `AtlasClient.post` → `parseSSE` ingests `data.response.content` / `data.response.messages` from the agent chat API SSE stream (outsider-authored model output), which is then accumulated into `onChunk` and placed into the LLM context for subsequent turns via `payload.messages`/`followups`.
The skill fetches instructions or code from an external URL at runtime, and the fetched content directly controls the agent’s prompts or executes code. This dynamic dependency allows the external source to modify the agent’s behavior without any changes to the skill itself.
Potentially malicious external URL detected (high risk: 1.00). The Pyodide runtime code calls loadPyodide with DEFAULT_CDN_URL (https://cdn.jsdelivr.net/pyodide/v0.29.3/full/) and then uses micropip.install at runtime (e.g., installing "cognite-sdk"), which fetches and executes remote Python packages — evidence that remote code is downloaded and executed during skill runtime.
ab7b5f8
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.