The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/notify.sh is vulnerable to parameter and payload injection.
In the webhook channel, JSON is constructed using printf with direct variable interpolation: JSON=$(printf '{"title":"%s","message":"%s","priority":"%s"}' "${TITLE:-Notification}" "$MESSAGE" "$PRIORITY"). If the message contains double quotes or other JSON-sensitive characters, it can corrupt the payload or inject additional JSON fields.
In the telegram channel, data is sent via curl -d "text=${MESSAGE}". If the message contains an ampersand (&), it will be interpreted as an additional POST parameter rather than literal text.
[DATA_EXFILTRATION]: The script allows sending data to arbitrary external URLs through the webhook, gotify, and ntfy (via --server) channels. If an attacker can influence the configuration of these channels, they could redirect sensitive notification content to an attacker-controlled server.
[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface (Category 8).
Ingestion points: The script scripts/notify.sh ingests untrusted data via the --message and --title command-line arguments.
Boundary markers: No boundary markers or delimiters are used to isolate user-provided content from the rest of the notification logic.
Capability inventory: The script has the capability to perform network operations (curl) to arbitrary URLs defined by the user.
Sanitization: No sanitization, escaping, or validation is performed on the input variables before they are interpolated into network request bodies.

universal-notify