The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructions specify a shell command that interpolates user-provided input directly into a subprocess call: python3 scripts/tools/clickup_meeting_notes.py url "{URL}". This pattern is vulnerable to command injection if the user provides a URL containing shell metacharacters, potentially allowing arbitrary code execution on the local system.
[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface (Category 8) by ingesting untrusted data and using it to update sensitive project configuration.
Ingestion points: Meeting notes fetched from the ClickUp API via scripts/tools/clickup_meeting_notes.py.
Boundary markers: Absent; there are no instructions to use delimiters or ignore embedded instructions within the meeting notes.
Capability inventory: The skill has capabilities to write files to the local directory ~/Documents/eo-wiki/meetings/ and the sensitive project memory path ~/.claude/projects/.../memory/, and to perform network operations via Slack and Notion integration scripts.
Sanitization: Absent; the skill does not describe any validation, sanitization, or filtering of the ClickUp content before it is processed by the agent to update files.
[DATA_EXFILTRATION]: The skill facilitates the flow of potentially sensitive meeting transcripts and summaries across multiple boundaries (ClickUp to local files to Slack/Notion). While functional, this broad access and data movement across platforms increases the risk of unauthorized data exposure if the ingested content is used to manipulate the agent.

my-meeting-digest