The Agent Skills Directory

COMMAND_EXECUTION (HIGH): In SKILL.md Step 5, the agent executes cd /home/milad/[product-slug] && vercel --prod. The [product-slug] variable is derived from an external file (products.json) or user input and is not sanitized before being passed to a shell, allowing for arbitrary command execution (e.g., slug; rm -rf /).
PROMPT_INJECTION (HIGH): The skill performs web searches for keywords and competitors (SKILL.md Step 2) and feeds that untrusted data into the generation process. The resulting content is saved to the file system and deployed to Vercel without human review. Evidence Chain: 1. Ingestion points: Web search results (Step 2). 2. Boundary markers: Absent. 3. Capability inventory: File system writes via save_blog_post.js and production deployment via vercel (Step 5). 4. Sanitization: None detected.
DATA_EXFILTRATION (MEDIUM): The skill sends summaries and generated content to a Telegram endpoint (Step 6). If the content generation is compromised via indirect injection, this channel could be used to exfiltrate sensitive data or environment information.
PATH_TRAVERSAL (MEDIUM): The scripts/save_blog_post.js script uses productSlug and postSlug arguments to construct file paths via path.join without sanitizing for directory traversal characters (..), enabling writes to unintended directories on the host.

seo-content