The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The SKILL.md preamble contains commands to execute Python scripts (telemetry/version_check.py and telemetry/telemetry_init.py) that are not present in the skill's file list. Executing scripts that are missing from the audited package is a high-risk behavior, as it may be intended to trigger pre-positioned malicious payloads or code previously downloaded to the environment.
[COMMAND_EXECUTION]: The skill uses shell commands for telemetry initialization and core analysis workflows. While the provided scripts appear benign, the automatic execution of unverified scripts in the preamble (SKILL.md) bypasses user review and can be used to execute arbitrary commands.
[EXTERNAL_DOWNLOADS]: The skill instructions explicitly direct the agent to use web search to fetch market rate data at runtime. This introduces untrusted external content into the agent's context, which can be exploited for indirect prompt injection.
[DATA_EXFILTRATION]: The skill is designed to ingest and process extremely sensitive financial information, including General Ledgers and P&L statements. The presence of unverified 'telemetry' scripts that run silently in the background creates a high-risk channel for the exfiltration of this sensitive financial data.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8). It lacks boundary markers or sanitization logic when reading QuickBooks CSV and XLSX files. An attacker could embed malicious instructions within financial report fields (e.g., vendor names or memos) to compromise the agent when it generates the 'CFO briefing'.

finance-ops