The Agent Skills Directory

[COMMAND_EXECUTION]: Unsanitized user input is used for file system operations.
The clientName parameter provided via the CLI is used directly in path.join (in src/cli.js) to construct directory and file paths.
This lack of validation allows for potential path traversal attacks where a malicious clientName (e.g., ../../) could cause the skill to read from or write to locations outside the intended workspace directory.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its analysis architecture.
Ingestion points: The skill fetches responses from external AI engines (ChatGPT, Claude, Gemini, Perplexity) in src/engines.js and passes them to src/analyzer.js.
Boundary markers: The analysis prompt in src/analyzer.js interpolates the untrusted response directly (Response: ${response}) without using delimiters or instructions to treat the content strictly as data.
Capability inventory: The skill has permissions to write files to the disk and perform network operations via multiple AI provider APIs.
Sanitization: No sanitization or filtering is applied to the content returned by external engines before it is injected into the analysis prompt.
[CREDENTIALS_UNSAFE]: The skill manages multiple sensitive API keys and attempts to access environment files outside its own directory scope.
In src/cli.js, the script attempts to load a .env file from the workspace root using a relative path that navigates four levels up (../../../../.env). While intended for ease of use, this pattern accesses sensitive files at a higher directory level than necessary for the individual skill.

aeo-visibility