The Agent Skills Directory

[COMMAND_EXECUTION] (MEDIUM): The script scripts/scan_all.py uses subprocess.run to dynamically execute other Python scripts (scan_outlook.py and teams_scan.py). While these are internal skill files, the pattern of spawning child processes based on configuration parameters increases the risk of command injection if the configuration file is compromised.
[DATA_EXFILTRATION] (MEDIUM): The skill is designed to read private communications (subjects, sender info, and bodies) from Outlook and Teams to generate summaries for external transmission via Telegram. This capability grants the AI agent access to a user's entire local mailbox and chat history.
[PROMPT_INJECTION] (LOW): The skill processes untrusted external data in the form of email bodies and subjects (Indirect Prompt Injection surface).
Ingestion points: scripts/scan_outlook.py (lines 142-143) and scripts/draft_reply.py (lines 92-98) ingest message subjects and bodies into variables.
Boundary markers: Absent. The code does not use delimiters or instructions to prevent the agent from obeying embedded commands within emails.
Capability inventory: The skill possesses the ability to create Outlook drafts (reply.Save() in scripts/draft_reply.py) and execute shell commands via subprocess.
Sanitization: No sanitization or filtering is performed on the ingested email text before processing or summarizing.
[REMOTE_CODE_EXECUTION] (SAFE): While the skill uses subprocess.run, it targets locally defined scripts and does not appear to execute code directly from remote sources. The referenced teams_scan.py (not provided in the source) likely makes network calls to Microsoft Graph, which is considered intended functionality.

ms-outlook-teams-assistant