The Agent Skills Directory

[Unverifiable Dependencies & Remote Code Execution] (HIGH): The skill installs software from untrusted remote sources and performs runtime compilation. * Evidence: The install script performs bun install -g meta-business-cli (untrusted registry package) and git clone https://github.com/adolago/meta-cli.git && ... && bun build --compile which downloads and executes source code from a personal repository not on the trusted list.
[Persistence Mechanisms] (HIGH): The skill establishes multiple persistence points on the host system. * Evidence: The meta service install command creates a systemd user service for background execution. * Evidence: The meta completion command encourages users to append arbitrary code execution to shell profiles (~/.bashrc and ~/.zshrc), which will execute the binary on every new shell session.
[Indirect Prompt Injection] (HIGH): The skill possesses a high-severity vulnerability surface for indirect prompt injection. * Ingestion points: meta webhook listen and meta messenger receive ingest untrusted, attacker-controllable message content from WhatsApp, Instagram, and Messenger. * Capability inventory: The skill has extensive write capabilities including sending messages (meta wa send), publishing content (meta ig publish), and modifying system services (meta service). * Boundary markers: None present. * Sanitization: Only phone numbers are filtered (allowlist); the content of messages remains a raw injection vector for the agent.
[Data Exposure & Exfiltration] (HIGH): The skill requires handling and local storage of sensitive authentication credentials. * Evidence: Commands like meta config set app.secret and meta auth login --token handle plaintext Meta Graph API secrets and permanent access tokens, which are stored locally in ~/.meta-cli/config.json.

meta-business