The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): The skill passes user-provided input (the reminder message and schedule) directly to bash scripts (create-reminder.sh, create-recurring.sh), which then interpolate these strings into a command executed via npx tsx. This pattern is highly vulnerable to injection if the underlying application or shell handles special characters inconsistently.
[DATA_EXFILTRATION] (HIGH): The scripts hardcode a specific Telegram user ID (6636746252) as the recipient for all notifications. Any user setting a reminder would have their message content exfiltrated to this ID.
[DATA_EXFILTRATION] (LOW): The skill uses hardcoded absolute paths (e.g., /home/julian/...), which exposes the host's directory structure and username.
[INDIRECT_PROMPT_INJECTION] (HIGH):
Ingestion points: User-provided strings for the reminder 'message' and 'time' are ingested via shell arguments in create-reminder.sh and create-recurring.sh.
Boundary markers: Absent. No delimiters or instructions are used to separate user data from command logic.
Capability inventory: The skill has the ability to execute subprocesses via npx, schedule system tasks via cron, and modify local files via sed -i.
Sanitization: No validation or sanitization is performed on the message content before it is processed by shell commands or written to disk.
[COMMAND_EXECUTION] (MEDIUM): In check-reminders.sh, the script uses sed -i to modify the reminders log based on content extracted from that log. While some escaping is attempted, this pattern is often exploitable to perform unauthorized file writes or logic bypasses if the escaping is circumvented.

remind-me