The Agent Skills Directory

[COMMAND_EXECUTION] (MEDIUM): The skill requires the agent to construct and execute curl commands in the shell using dynamic content.
Evidence: Step 5 in SKILL.md instructs the agent to run curl -X POST "WEBHOOK_URL" -d '{"text": "MESSAGE_HERE"}'.
Risk: If the message content (derived from git logs or user input) is not perfectly escaped, it could lead to shell command injection. The instructions acknowledge this by telling the agent to "escape quotes properly," but this remains a high-risk pattern for automated agents.
[DATA_EXFILTRATION] (LOW): The skill's primary function is to send project metadata to an external endpoint.
Evidence: SKILL.md Step 3 and 5 detail gathering git log, git branch, and git diff outputs and sending them to a Google Spaces webhook.
Risk: While this is the intended purpose, it establishes a data egress channel for project context. The risk is mitigated by the fact that the endpoint is user-configured in a local .claude/settings.json file.
[INDIRECT_PROMPT_INJECTION] (LOW): The skill processes untrusted data from the local environment that could influence the final command.
Ingestion points: git log, git branch, and git diff outputs from the current repository.
Boundary markers: None present to delimit the git output from the agent's instructions.
Capability inventory: Shell command execution via curl and file reading via cat.
Sanitization: Includes a manual instruction for the agent to "escape quotes properly" when formatting the message for the shell.
[CREDENTIALS_UNSAFE] (SAFE): The skill manages sensitive webhook URLs appropriately.
Evidence: The README and SKILL.md files provide clear instructions to store the webhook URL in a local configuration file and specifically advise users to add that directory to .gitignore to prevent accidental disclosure.

google-spaces-updates