The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/batch_screen.js is vulnerable to command injection. It uses execSync to call the pdftotext utility and another internal script using string concatenation with file names and paths directly derived from the file system. An attacker can achieve arbitrary code execution by placing a file with a maliciously crafted name (e.g., using shell metacharacters like ;, `, or $()) in the directory being processed.\n- [COMMAND_EXECUTION]: The script scripts/process_incoming.js also exhibits a command injection vulnerability. It passes the fileName argument directly into a shell command executed via execSync without any validation or sanitization, allowing for arbitrary command execution.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through the ingestion of untrusted candidate resumes and interview notes. A malicious document could contain instructions designed to deceive the AI agent or bypass the recruitment rubric.\n
Ingestion points: External data is read into the agent's context via scripts/screen_resume.js, scripts/batch_screen.js, scripts/generate_questions.js, and scripts/summarize_interview.js.\n
Boundary markers: The skill employs text delimiters such as --- RESUME CONTENT START ---, which provide some structure but can be easily bypassed by content that mimics these markers.\n
Capability inventory: The skill includes the ability to execute shell commands via execSync (in scripts) and explicitly instructs the agent to use the feishu_doc and message tools.\n
Sanitization: No sanitization, escaping, or schema validation is applied to the content of the processed documents before they are presented to the agent.

recruiter-assistant