The Agent Skills Directory

[COMMAND_EXECUTION]: Insecure Python execution bridge in scripts/token-guard.sh. The script uses python3 -c and interpolates shell variables directly into the Python source string (e.g., '$model', '$daily_usd', and '$entry'). Because these variables are not sanitized or escaped, a crafted string containing a single quote can break the Python string literal and execute arbitrary Python code. This affects functions such as cmd_log, cmd_status, and cmd_monitor.
[COMMAND_EXECUTION]: JSON injection vulnerability in the _switch_model function. The script interpolates the $new_model variable directly into a JSON string payload for a curl POST request to a local gateway. An attacker could use this to inject additional JSON keys and manipulate other agent configuration settings beyond the intended model switch.
[PROMPT_INJECTION]: Vulnerability to indirect injection through log poisoning. 1. Ingestion points: Data is read from the $STATE_DIR/usage-log.jsonl file in the cmd_status and cmd_monitor functions. 2. Boundary markers: None are present to distinguish between trusted and untrusted log entries. 3. Capability inventory: The script has the ability to modify the agent's primary model configuration via curl and execute arbitrary logic via python3. 4. Sanitization: None. Data from the usage log is interpolated directly into Python execution strings without validation or escaping.

token-guard