The Agent Skills Directory

PROMPT_INJECTION (HIGH): The skill possesses a significant indirect prompt injection surface. It reads external, untrusted content from a social feed via poast_mentions.sh, poast_timeline.sh, and poast_feed.sh. Combined with its write capabilities (poast.sh, poast_delete.sh), an attacker could @mention the agent with malicious instructions that the agent might execute within its session context.
Ingestion points: poast_mentions.sh, poast_timeline.sh, poast_feed.sh, poast_get.sh.
Boundary markers: Absent. There are no instructions to the agent to treat external post content as untrusted data.
Capability inventory: poast.sh (creating posts), poast_delete.sh (deleting content), poast_follow.sh (modifying social graph), and poast_profile.sh (modifying account metadata).
Sanitization: Absent. Content is passed directly to API endpoints via curl.
DATA_EXFILTRATION (MEDIUM): The instructions in SKILL.md encourage the agent to "post immediately" when a user says "post this". This behavior can be exploited by a malicious prompt to trick the agent into exfiltrating sensitive session data or files to the poast.bot service without explicit user review of the payload.
COMMAND_EXECUTION (MEDIUM): The scripts poast_profile.sh and poast_update.sh manually construct JSON strings using shell variables (e.g., JSON="$JSON\"bio\":\"$BIO\""). This is vulnerable to JSON injection if the input contains escaped quotes or backslashes, potentially allowing an attacker to manipulate API requests or cause unexpected agent behavior.
EXTERNAL_DOWNLOADS (LOW): The skill performs a remote version check (curl -s https://www.poast.bot/api/skill/version) and suggests running npx skills@latest to update. While the update command is user-initiated, the remote version check could be used as a trigger for conditional behavior or time-gated attacks.

poast