The Agent Skills Directory

[CREDENTIALS_UNSAFE] (HIGH): The skill requires users to store plaintext secrets, including a Stripe Secret Key (sk_live_...) in a .env.stripe file and Google OAuth client secrets in credentials.json. These are stored within the agent's workspace, making them accessible to any other skill or agent command.
[PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8). It fetches untrusted data from Google Task titles, notes, and Calendar events, which are then interpolated into the 'Morning Brief' prompt for the agent. An attacker could place malicious instructions in a task name to hijack the agent when it processes the brief.
Ingestion points: scripts/sync-google-tasks.py (Task API), HEARTBEAT.md (ICS URL), and memory/YYYY-MM-DD.md (User input logs).
Boundary markers: Absent. External content is formatted directly into the report template.
Capability inventory: Python execution, file system read/write, and network access (Stripe/Google APIs).
Sanitization: None detected. Data is fetched and stored in JSON/Markdown format for direct consumption by the LLM.
[COMMAND_EXECUTION] (MEDIUM): The script scripts/sync-google-tasks.py performs a suspicious sys.path.insert(0, '/Users/tom/Library/Python/3.9/lib/python/site-packages'). This forces the execution environment to use libraries from a specific user's local directory, which could be used to facilitate local library hijacking if that path is not secured or exists on a shared system. All scripts also use hardcoded absolute paths for the user 'tom', indicating they were not designed for portable or secure multi-user environments.

daily-rhythm