The Agent Skills Directory

[COMMAND_EXECUTION]: The todo.sh script is vulnerable to shell command injection through unquoted heredocs. In the cmd_create function, the cat <<EOF construct evaluates command substitutions (such as $(...)) or backticks contained within the $title or $body variables. This allows arbitrary code execution if the agent handles maliciously crafted input.- [COMMAND_EXECUTION]: A shell injection vulnerability exists in the load_config function. The VALID_STATUSES variable is populated from CLAUDE.md and used unquoted in a for loop (for s in $VALID_STATUSES; do). An attacker can execute commands by crafting a malicious statuses entry in the configuration file.- [COMMAND_EXECUTION]: The script uses sed unsafely in cmd_update and cmd_archive. Variables are interpolated directly into sed command strings without sanitization, allowing an attacker to use sed delimiters and command separators to modify files unexpectedly.- [DATA_EXFILTRATION]: The command injection flaws enable data exfiltration. An attacker can use command substitution in todo fields to read sensitive files and save their contents into the todo markdown files created by the script.- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by processing untrusted data.
Ingestion points: Reads project configuration from CLAUDE.md and todo content from markdown files in the docs/todos directory.
Boundary markers: None identified. The script reads file contents directly into shell variables.
Capability inventory: Includes file system writes (cat >), file modification (sed -i), and file movement (mv).
Sanitization: None. Configuration values and todo contents are used in shell operations without escaping or validation.

managing-todos