The Agent Skills Directory

[COMMAND_EXECUTION]: The GitHub Actions workflow template in references/implementation.md is vulnerable to shell command injection. It uses ${{ github.event.client_payload.date }} and ${{ github.event.client_payload.title }} directly inside a shell run block. If an attacker controls the meeting title or date (e.g., via a malicious meeting note), they could execute arbitrary shell commands on the runner.
[REMOTE_CODE_EXECUTION]: The proposed GitHub Actions workflow uses actions/github-script@v7 with direct interpolation of untrusted data into a JavaScript string literal (JSON.parse('${{ github.event.client_payload.action_items }}')). This is a critical security vulnerability that allows an attacker to break out of the string and execute arbitrary JavaScript code within the CI environment.
[DATA_EXFILTRATION]: Because the suggested integration involves passing sensitive credentials like {{github_token}} to Zapier and triggering repository dispatches, the aforementioned injection vulnerabilities could be used by an attacker to steal these tokens or other environment variables from the GitHub Actions secrets store.
[PROMPT_INJECTION]: The skill facilitates an Indirect Prompt Injection surface by building a pipeline that processes untrusted third-party data (Granola meeting notes) and passes it directly to sensitive execution environments.
Ingestion points: github.event.client_payload in the process-meeting-notes.yml workflow defined in references/implementation.md.
Boundary markers: None; the external data is interpolated directly into commands and scripts without delimiters or 'ignore' instructions.
Capability inventory: The workflow has the capability to execute shell commands (echo, git commit), run JavaScript (github-script), and access repository secrets.
Sanitization: None; the provided templates do not include any validation, escaping, or filtering of the meeting note content before processing.

granola-ci-integration