The Agent Skills Directory

[PROMPT_INJECTION] (HIGH): Indirect Prompt Injection risk (Category 8). The skill is designed to ingest untrusted data from an external source (Basecamp) and has extensive write/execute capabilities.
Ingestion points: Commands such as bc4 todo list, bc4 card view, and bc4 profile pull data from Basecamp into the agent's context.
Boundary markers: There are no markers or delimiters specified to help the agent distinguish between its instructions and the data retrieved from Basecamp.
Capability inventory: The skill allows creating/editing todos, posting messages, and moving cards via the bc4 CLI. An attacker could place malicious instructions in a Basecamp todo list that, when read by the agent, cause it to post sensitive information to a public campfire or delete project items.
Sanitization: No evidence of input sanitization or instruction-guarding is present in the skill definition.
[COMMAND_EXECUTION] (MEDIUM): The skill utilizes the bc4 CLI to perform actions. It interpolates user-provided data (e.g., <id>, "Task description", "Comment text") directly into shell commands. If the agent's execution environment does not properly escape these arguments, it could lead to shell command injection.
[DATA_EXFILTRATION] (MEDIUM): The skill grants access to sensitive organizational data including user profiles, project details, and private team messages. While it communicates with a legitimate service (Basecamp), the lack of restricted scope means the agent can be coerced into reading data it shouldn't access and relaying it to the user or other channels.
[EXTERNAL_DOWNLOADS] (MEDIUM): The skill depends on an external tool named bc4. The source and integrity of this binary are not defined within the skill, making it an unverifiable dependency. Users must ensure the bc4 tool is sourced from a trusted provider.

bc4-basecamp