The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its processing of untrusted external content. Ingestion points: The skill retrieves task titles and descriptions from Todoist and fetches meeting transcripts from Granola and Grain (Step 3). Boundary markers: No delimiters or protective instructions are defined to separate external data from system instructions. Capability inventory: The agent has extensive shell access, file write capabilities, and access to communication tools (Gmail, WhatsApp). Sanitization: No sanitization or verification of the external content is performed before it is used to influence agent behavior.
[COMMAND_EXECUTION]: Risk of command injection through dynamic argument construction in shell commands. The skill interpolates untrusted data like recipient names and meeting IDs directly into shell commands for mcporter, gog, and python3 (Steps 3 and 5). If an attacker controls task content containing shell metacharacters, they could execute arbitrary commands.
[DATA_EXFILTRATION]: The skill accesses sensitive credentials and personal configuration and uses them with network-enabled tools. It reads .env files and user.json configuration containing API tokens and personal email addresses. While intended for legitimate automation with Todoist and Gmail, this access pattern provides a surface for exfiltration if the agent is compromised by malicious task content.

todoist-due-drafts