The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests untrusted meeting transcripts and summaries from Granola and Grain. \n- Ingestion points: SKILL.md (Steps 1 and 2, and Step 4 cross-check with Grain). \n- Boundary markers: Absent; no instructions are provided to the agent to distinguish between meeting content and instructions. \n- Capability inventory: Shell command execution via todoist-cli, tool calls via mcporter, and sensitive file access. \n- Sanitization: Absent; there is no requirement to escape transcript content before processing. \n- [COMMAND_EXECUTION]: The skill constructs and executes shell commands for the todoist-cli by interpolating strings extracted directly from transcripts (e.g., <actionable title>). This creates a risk of command injection if meeting participants include shell-escaping sequences or subcommands in the meeting notes. \n- [DATA_EXFILTRATION]: To function, the skill accesses sensitive local files including ~/executive-assistant-skills/config/user.json and sources the {user.workspace}/.env file. These files likely contain PII and API credentials. While this access is core to the skill's purpose, it presents a risk of exposure or exfiltration if the agent is manipulated by malicious transcript content.

action-items-todoist