The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructions direct the agent to execute shell commands using the qmd CLI tool to perform semantic searches based on task titles and descriptions.
Evidence: In the 'Semantic Goal-to-Work Mapping' section, the instruction states: qmd query "task title/description" --limit 3.
Risk: The skill interpolates user-controlled data (task titles and descriptions) directly into a shell command. If a task title contains shell metacharacters such as backticks, semicolons, or command substitutions (e.g., $(command)), it could lead to arbitrary code execution on the user's system.
Remediation: Sanitize user-provided strings before interpolation or use shell-safe execution methods that avoid direct string concatenation in shell environments.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it ingests and processes data from untrusted external sources.
Ingestion points: The skill reads content from multiple local markdown files (03-Tasks/Tasks.md, 00-Inbox/Meetings/*.md, 00-Inbox/Journals/, etc.) and retrieves data from Gmail via the Google Workspace MCP.
Boundary markers: There are no delimiters or instructions provided to the agent to treat the content of these files as data rather than instructions. This increases the risk that malicious text embedded in an email or a meeting note could hijack the agent's execution flow.
Capability inventory: The skill has access to tools for file system modification (Tasks.md, project pages, and creating new synthesis files), telemetry reporting, and shell command execution (qmd).
Sanitization: No evidence of sanitization or validation of the retrieved content before it is processed or used in subsequent steps.
Remediation: Implement clear boundary markers (such as XML tags) around data retrieved from external sources and include explicit instructions for the agent to disregard any commands or directives found within that data.

week-review