The Agent Skills Directory

[COMMAND_EXECUTION]: The fetchBacklogIssues function in src/lib.ts constructs a shell command by concatenating strings with the projectId variable and executes it using execSync. Since projectId can be derived from unvalidated command-line arguments in src/index.ts, an attacker could provide shell metacharacters (e.g., ;, &, |) to execute arbitrary system commands.
[CREDENTIALS_UNSAFE]: The skill is designed to read highly sensitive files from the user's personal and confidential tiers. It uses relative path traversal (../../../) in its configuration files to access knowledge/personal/connections/backlog.json and knowledge/confidential/connections/inventory.json, which bypasses directory restrictions.
[COMMAND_EXECUTION]: The skill transmits the apiKey as a query parameter in HTTP GET requests via both axios and curl. This is an insecure practice as API keys in query strings are commonly recorded in server logs, proxy logs, and network monitoring tools.
[PROMPT_INJECTION]: The skill ingests issue data (summaries and keys) from an external API and returns it to the agent without sanitization or boundary markers. This exposes the agent to indirect prompt injection if the issue content contains malicious instructions designed to manipulate the agent's logic.

backlog-connector