The Agent Skills Directory

[COMMAND_EXECUTION]: Path Traversal in Resource Management. The ResourceHandler class in SKILL.md constructs file paths using userId.toString() inside path.join. If the userId input is not strictly validated as a numeric value, an attacker could inject path traversal sequences (e.g., ../..) to access or delete arbitrary files on the host system via the deleteResource or deleteUserData methods.
[DATA_EXFILTRATION]: Potential Data Exposure via Path Traversal. The DataExporter utility in SKILL.md packages user notes and resources into a ZIP archive. The vulnerability in path construction could allow an attacker to read files from outside the designated storage directory and include them in the generated export.
[PROMPT_INJECTION]: Indirect Prompt Injection surface. The skill processes external Evernote (ENML) data which may contain malicious instructions for the agent. 1. Ingestion points: The enml-processor.js script parses raw ENML content. 2. Boundary markers: Absent. Extracted text and todo items are processed without clear delimiters or instructions to the agent to disregard embedded commands. 3. Capability inventory: The skill utilizes file system writes, file deletions, and database operations. 4. Sanitization: Partial. While the code filters out javascript: links and handles encrypted content tags, it does not perform sanitization for prompt injection patterns in the textual content.

evernote-data-handling