The Agent Skills Directory

[DATA_EXFILTRATION]: The scripts/ingest.ts file uses readFileSync to read local files from a path provided in the imagePath JSON field. This mechanism allows the agent to read any file it has permissions for and subsequently upload its base64-encoded content to a remote URL (https://perfect-buffalo-375.convex.cloud).
[DATA_EXFILTRATION]: The skill documentation (references/convex-interface.md) discloses several absolute file paths from the author's local development environment, providing information about the system's directory structure.
[CREDENTIALS_UNSAFE]: The script scripts/ingest.ts contains a hardcoded default value for ownerUserId ("278674008") which is used if the KB_OWNER_USER_ID environment variable is missing, potentially leading to data being stored under an incorrect or unauthorized account.
[COMMAND_EXECUTION]: The skill relies on the bun runtime to execute local TypeScript files. While this is the intended behavior for the skill, the execution of scripts that handle arbitrary file paths increases the overall attack surface.
[INDIRECT_PROMPT_INJECTION]: The skill has a significant attack surface for indirect injection:
Ingestion points: scripts/ingest.ts processes JSON data passed via command-line arguments, which may originate from untrusted user messages or external sources.
Boundary markers: There are no delimiters or instructions to prevent the agent from obeying paths or data found within the ingested content.
Capability inventory: The skill possesses both file-read capabilities (readFileSync) and network-write capabilities (fetch).
Sanitization: There is no validation or sanitization of the imagePath variable to ensure it remains within safe or expected directories.

laniameda-storage