The Agent Skills Directory

[COMMAND_EXECUTION]: The auth/token_manager.js script uses execSync to call the macOS security command for keychain operations. It interpolates the account variable—which is sourced directly from command-line arguments—into shell command strings without sanitization. An attacker could potentially supply a malicious account name containing shell metacharacters (e.g., ;, &, |) to execute arbitrary commands on the host system. Evidence in auth/token_manager.js includes calls like execSync(security delete-generic-password -s "${SERVICE_NAME}" -a "${account}" 2>/dev/null, ...) where the account parameter is vulnerable to breakout.
[CREDENTIALS_UNSAFE]: The skill relies on an external script located at a relative path outside the skill directory (../../../scripts/secrets.js) to load Google API credentials. This creates a dependency on an unverifiable local file. Additionally, the skill instructions in auth/GOOGLE_CLOUD_SETUP.md suggest storing sensitive API keys in a .env file within a cloud-synced directory (~/Library/Mobile Documents/com~apple~CloudDocs/Geoffrey/secrets/.env), which may lead to unintentional credential exposure if the sync service is compromised.
[PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8) because it ingests untrusted data from external sources and possesses significant capabilities. Ingestion points: gmail/read_message.js, chat/read_messages.js, and drive/read_file.js pull content from emails, chat messages, and documents into the agent's context. Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present in the scripts. Capability inventory: The skill allows the agent to send emails (gmail/send_message.js), create/modify files (drive/create_file.js), and execute shell commands via the allowed Bash tool. Sanitization: The scripts do not perform validation or escaping of the ingested text before passing it to the agent.

google-workspace