The Agent Skills Directory

[COMMAND_EXECUTION]: The skill executes Bash commands by directly interpolating user-provided arguments $ARGUMENTS[0] (the URL) and $ARGUMENTS[1] (the output directory). Specifically, the commands npx confluence-cli read $ARGUMENTS[0] and mkdir -p $ARGUMENTS[1] are executed without escaping or sanitization. An attacker could provide a malicious URL or directory path containing shell metacharacters (e.g., ;, &, |) to execute arbitrary code on the system.
[EXTERNAL_DOWNLOADS]: The skill instructions mandate the use of npx confluence-cli, which triggers a download of the package from the npm registry if it is not already present. This package is maintained by an individual contributor (pchuri) rather than a trusted organization, posing a risk of supply chain compromise.
[REMOTE_CODE_EXECUTION]: The use of npx to run a third-party CLI tool effectively executes remote code from an external repository at runtime. This is a high-risk pattern when the source is not a verified vendor.
[PROMPT_INJECTION]: The skill ingests untrusted data from Confluence pages and generates a summary using an LLM. Since it lacks boundary markers or instructions to ignore embedded commands in the source data, it is vulnerable to indirect prompt injection. Malicious instructions placed on a Confluence page could hijack the agent's behavior, particularly given its access to powerful tools like Bash and Write.

confluence-page-viewer