The Agent Skills Directory

[COMMAND_EXECUTION]: The script notify_cli.sh is vulnerable to AppleScript injection. It constructs a command string for osascript -e by directly interpolating the $MESSAGE, $TITLE, and $SOUND variables. An attacker can provide a payload (e.g., using a closing quote and the & operator) to execute arbitrary commands on the system via AppleScript's do shell script functionality.
[REMOTE_CODE_EXECUTION]: Because the skill's parameters are often derived from untrusted external data processed by the agent, this injection vulnerability allows for remote code execution on the host machine.
[DATA_EXFILTRATION]: Exploiting the command injection allows an attacker to execute shell commands to read sensitive local files, such as SSH keys or environment configuration files, and send them to a remote server.
[PROMPT_INJECTION]: The skill presents an indirect prompt injection surface by ingesting untrusted data through its parameters without validation.
Ingestion points: The title, message, and sound parameters in SKILL.md are passed to notify_cli.sh via stdin.
Boundary markers: Absent; no delimiters or warnings are used to separate user data from the command context.
Capability inventory: The skill can execute arbitrary system commands on macOS through the osascript utility.
Sanitization: Absent; the script fails to escape quotes or other control characters before passing them to the AppleScript engine.

notify