The Agent Skills Directory

[PROMPT_INJECTION]: The skill creates an indirect prompt injection surface by ingesting and processing untrusted data from external platforms to generate content.
Ingestion points: WhatsApp messages (wacli messages list), Gmail threads (Gmail__get_thread), Slack activity (slack_search_public_and_private), and Telegram updates (telegram__get_updates) as seen in SKILL.md.
Boundary markers: There are no explicit delimiters or instructions to treat external message content as data rather than instructions.
Capability inventory: The skill possesses Bash execution, file reading, and network-based messaging tools across several platforms.
Sanitization: No input validation or escaping mechanisms are defined for content retrieved from external channels.
[COMMAND_EXECUTION]: The skill uses string interpolation to pass user-controlled variables into shell commands, specifically within the WhatsApp and Discord modules (e.g., wacli send --to "[contact]" --message "[message]" and bin/ops-discord send "<channel-alias>" "<message>"). This pattern is vulnerable to command injection if the agent does not properly escape shell metacharacters in $ARGUMENTS.
[DATA_EXFILTRATION]: The skill accesses sensitive information including contact profiles (contact_*.md), user preferences (preferences.json), and utilizes environment variables for authentication (NOTION_API_KEY, DISCORD_BOT_TOKEN). Because the skill can also send data to multiple external platforms, there is a risk that sensitive local context could be exfiltrated via these channels.

ops-comms