The Agent Skills Directory

[COMMAND_EXECUTION]: The script executes an external command with parameters derived from user input without adequate validation.
Evidence: In scripts/qq_email.py, the get_auth_code function constructs a lookup path for the pass utility using the --account argument. Specifically, lines 27-31 use f-strings to build paths like f"email/qq/{account}" which are then passed to subprocess.run(["pass", "show", path], ...). This allows an attacker to use path traversal sequences (e.g., ../../) in the account name to access secrets outside the intended directory in the user's password store.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes untrusted data from external emails.
Ingestion points: scripts/qq_email.py fetches email headers and bodies in cmd_list and cmd_read functions.
Boundary markers: No boundary markers or instructions to ignore embedded commands are used when presenting email content to the agent.
Capability inventory: The skill has the ability to send and reply to emails via cmd_send and cmd_reply in scripts/qq_email.py.
Sanitization: There is no sanitization or filtering of the retrieved email content before it is processed by the AI agent.

qq-email-operator