The Agent Skills Directory

[Data Exposure & Exfiltration] (MEDIUM): The skill explicitly documents sensitive local file system paths used by NotePlan for data storage (e.g., ~/Library/Containers/co.noteplan.NotePlan3/...). Although this information is useful for file management, exposing these specific paths to an AI agent creates a significant risk for unauthorized data access or exposure if the agent is prompted to read from or exfiltrate content from these directories.\n- [Dynamic Execution] (LOW): The documentation in references/templates.md and references/url-scheme.md details capabilities for dynamic JavaScript execution within notes and plugin installation via URL schemes. While these are legitimate features of the application, they represent a potential code execution vector (Category 10) that could be abused if an agent is manipulated into generating or processing malicious markdown templates or commands.\n- [Indirect Prompt Injection] (LOW): The skill is susceptible to indirect prompt injection (Category 8) because it facilitates the processing of user-controlled Markdown data which may contain hidden instructions or template logic. Evidence Chain: 1. Ingestion: The agent is instructed to read .txt and .md files from NotePlan directories. 2. Boundary markers: No explicit instructions for delimiters or instruction-ignore blocks are provided to the agent. 3. Capability inventory: The skill documents the JS API, URL scheme (addText, deleteNote, runPlugin), and file system paths. 4. Sanitization: No sanitization or validation of note content is mentioned.

noteplan