The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses the Bash tool to execute commands such as confluence-cli read PAGE_URL and mkdir -p OUT_DIR. These commands incorporate variables (PAGE_URL, OUT_DIR) derived directly from user-provided arguments. If an attacker provides a URL or directory name containing shell metacharacters (e.g., ; rm -rf /), it could lead to arbitrary command execution if validation is bypassed.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection by design, as its primary purpose is to ingest and process data from external sources.
Ingestion points: Data is ingested from external Confluence pages via confluence-cli (SKILL.md).
Boundary markers: There are no explicit markers or instructions to ignore embedded commands within the references/output-format.md template.
Capability inventory: The agent has access to sensitive tools including Bash, Write, and Edit, which could be abused if malicious instructions in a Confluence page are followed.
Sanitization: While the URL format is validated, there is no evidence of sanitization or filtering for the actual content retrieved from the page.
[EXTERNAL_DOWNLOADS]: The skill requires the user to install a third-party tool, confluence-cli, from an unverified GitHub repository (github.com/pchuri/confluence-cli). This introduces a dependency on external code that does not originate from a known trusted organization.

confluence-page-viewer