The Agent Skills Directory

Data Exposure & Exfiltration (MEDIUM): The skill is configured to access and manage directories containing highly sensitive personal and business information.
Evidence: Access to notes/personal-finance/, notes/mel-inversiones/ (investments), notes/emails/, and notes/strategy/.
Risk: Accessing financial and private correspondence increases the impact of any potential session hijacking or data leakage.
Indirect Prompt Injection (LOW): The skill processes a massive volume (17,000+) of markdown files, which acts as an ingestion point for untrusted data.
Ingestion points: Any file within the notes/ directory (SKILL.md).
Boundary markers: Absent. There are no instructions to ignore embedded commands within the notes.
Capability inventory: Shell command execution via grep and find (SKILL.md).
Sanitization: Absent. Content is searched and potentially processed without validation.
Risk: Malicious instructions hidden in notes (e.g., clipped from external websites) could influence agent behavior when the notes are searched or summarized.
Command Execution (LOW): The skill relies on system-level commands to perform its primary functions.
Evidence: Documentation of find and grep commands for searching the knowledge base.
Risk: While these are standard utilities, their execution over large sets of potentially untrusted file content requires careful handling to prevent command injection.

note-management