The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill relies on 'audit findings' from an external source to drive automated actions. In Step 3, it uses codex exec --full-auto with a prompt constructed directly from these findings (e.g., 'Fix: [specific issue from audit]'). An attacker who can influence the audit report (e.g., via malicious comments in code or database metadata) could inject instructions to execute arbitrary code or exfiltrate data. \n- Command Execution (HIGH): The skill performs sensitive production operations using npx convex env set --prod and stripe webhook_endpoints update. These commands allow the agent to modify production infrastructure based on potentially untrusted input. \n- Data Exfiltration (MEDIUM): The verification step uses npx convex env list --prod | grep STRIPE, which reads production secrets into the agent's context. If combined with the network capability in Step 4 (curl -I -X POST <url>), there is a risk of production secret exfiltration. \n- Privilege Escalation (MEDIUM): The skill assumes broad permissions to modify production environments and execute code via codex, which is a powerful utility capable of making sweeping changes to the filesystem. \n- Indirect Prompt Injection Evidence Chain: \n
Ingestion points: Audit findings (processed in Triage and Step 3). \n
Boundary markers: Absent; instructions are interpolated directly into prompts. \n
Capability inventory: npx convex (prod env access), codex exec (code write/exec), pnpm (package management), curl (network access). \n
Sanitization: Absent; findings are used directly in shell command arguments.

stripe-reconcile