The Agent Skills Directory

[COMMAND_EXECUTION]: The scripts add-task.sh and update-task.sh interpolate shell variables like $ID, $STATE, and $PRIORITY directly into a node -e command string. This allows an attacker who can influence these parameters (e.g., through a malicious task description or state update) to break out of the string literal and execute arbitrary Node.js code on the host system.
[REMOTE_CODE_EXECUTION]: The shell injection vulnerability in the Node.js execution sink provides a direct path for remote code execution if the agent processes malicious user-provided content.
[DATA_EXFILTRATION]: The refresh-dashboard.sh script automatically transmits task data from /tmp/wali-stats.json to a remote server named spaceship via scp. This moves internal workspace data to an external system, which could be exploited if an attacker can control the contents of the stats file.
[EXTERNAL_DOWNLOADS]: The skill performs network operations using curl to interact with https://junaitools.com/wali-api/stats.json for cache purging.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. * Ingestion points: Task details (ID, name, description, state) are provided by users and processed by add-task.sh and update-task.sh. * Boundary markers: None are present in the scripts or the data structure to prevent the agent from obeying instructions embedded in task fields. * Capability inventory: Uses node -e for dynamic execution, fs.writeFileSync for file modification, and scp/curl for network access. * Sanitization: While some fields (name, source, description) use a printf to JSON.stringify sub-process for escaping, other critical fields like id and state are injected raw into the execution string.

task-manager