The Agent Skills Directory

COMMAND_EXECUTION (LOW): The scripts/setup.ts file uses execSync to configure the Convex environment. It interpolates the botToken and userId directly into a shell command string. While this occurs during an explicit setup phase, it creates a potential command injection surface if an attacker can influence the arguments passed to the setup script.
CREDENTIALS_UNSAFE (LOW): The skill stores the Telegram Bot Token, User ID, and Convex Deploy Key in plain text within /mnt/user-data/outputs/telegram_config.json. This is standard for CLI-based tools but means any process with access to the user's data directory can read these secrets.
EXTERNAL_DOWNLOADS (SAFE): During setup, the skill executes npm install and npx convex deploy. These downloads originate from trusted registries (NPM) and known service providers (Convex), and are required for the skill's functionality. Per [TRUST-SCOPE-RULE], these are categorized as SAFE/LOW.
DATA_EXFILTRATION (SAFE): Analysis confirms that the skill only communicates with api.telegram.org and the user's specific *.convex.cloud deployment. No unauthorized data exfiltration was detected.
INDIRECT_PROMPT_INJECTION (LOW): The skill ingests untrusted data (message text and titles) which are eventually sent to Telegram or stored in the Convex database.
Ingestion points: message_text and title arguments in send_message.ts and schedule_message.ts.
Boundary markers: Absent; inputs are passed directly to the API/DB.
Capability inventory: System command execution (execSync in setup), network requests (fetch), and file reading (readFileSync).
Sanitization: No explicit sanitization or escaping of message content is performed before transmission.

telegram-reminders