The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it takes untrusted user input and transmits it to external social media platforms.
Ingestion points: The content input field in SKILL.md is the primary entry point for untrusted data.
Boundary markers: No delimiters or instructions to ignore embedded commands are present in the provided code snippets or prompts.
Capability inventory: The skill possesses the ability to execute shell commands (python -c) and perform network operations via the SocialPostingClient.post method.
Sanitization: There is no evidence of input validation, escaping, or sanitization performed on the content before it is processed by the Python client.
[COMMAND_EXECUTION]: The workflow documentation recommends using python -c with shell-interpolated strings (e.g., content='''Your content here'''). If the user-provided content contains triple quotes or shell-breaking characters, it could lead to arbitrary code execution or command injection within the agent's execution environment.
[CREDENTIALS_UNSAFE]: The skill instructions direct the user to store sensitive API keys (POSTFORME_API_KEY, LATE_API_KEY) in a ~/social-posting-api/.env file. The provided scripts explicitly access this sensitive file path to load credentials.

social-post