The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructions include a shell command template that interpolates user-controlled LinkedIn URLs into a bash command, creating a risk for command injection.
Evidence: Phase 2B in SKILL.md contains the command: python3 skills/linkedin-profile-post-scraper/scripts/scrape_linkedin_posts.py --profiles "<comma-separated LinkedIn URLs>" --max-posts 20 --days 90 --output json.
Risk: If the input URLs are not sanitized and contain shell metacharacters (e.g., ;, &, |), it could allow for arbitrary command execution on the host system.
[PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8) due to the ingestion of untrusted external content and its processing into local files.
Ingestion points: The skill fetches content from target company blogs, LinkedIn posts, job boards (Greenhouse, Lever), Reddit threads, review sites (G2, Capterra), and various other web sources.
Boundary markers: None identified. There are no instructions for the agent to ignore or delimit embedded instructions in the scraped data.
Capability inventory: The skill can execute shell commands (via the LinkedIn scraper) and write files to the local filesystem (clients/<client>/research/).
Sanitization: None identified. The scraped content is synthesized and scored directly into a markdown report.
[DATA_EXFILTRATION]: The skill accesses potentially sensitive local data which could be exposed if the agent is compromised by an injection attack.
Evidence: Phase 1 in SKILL.md instructs the agent to read clients/<client>/context.md for "founders, product, pricing" and "Any existing research or intelligence".
Risk: While the skill's primary flow is local, the combination of sensitive data access with extensive network operations (WebFetch/WebSearch) increases the risk of data exposure through an indirect prompt injection.

company-current-gtm-analysis