The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill recommends the global installation of the NPM package '@google/gws'. This package name uses the '@google' scope to appear official, but it is not a documented public package from the trusted vendor Google, which is a common pattern for dependency confusion or typosquatting attacks designed to execute malicious code on the host system (File: SKILL.md, SKILL_HE.md).
[COMMAND_EXECUTION]: The script 'scripts/backup-sheets.py' executes shell commands via 'subprocess.run' using arguments such as sheet tab names that are derived from external inputs. This provides a mechanism for local command execution through the gws binary.
[DATA_EXFILTRATION]: The skill is designed to handle sensitive financial records, including income, expenses, and VAT details. It requests capabilities to read this data via CLI tools and write it to the local file system. While no active exfiltration was detected, the combination of sensitive data access and shell capabilities represents a high-risk surface.
[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by reading untrusted data from Google Sheets. Evidence Chain: 1. Ingestion points: Data enters the context via 'gws sheets read' and the 'load_data' function in 'scripts/vat-summary.py'. 2. Boundary markers: Absent; there are no delimiters or instructions to ignore embedded commands. 3. Capability inventory: The skill has 'Bash(gws:)', 'Bash(python:)', and 'Write' permissions. 4. Sanitization: Absent; the data is parsed and passed directly to summarization or file-writing logic. Malicious instructions embedded in spreadsheet columns like 'Description' or 'Notes' could be interpreted by the agent (File: SKILL.md, scripts/vat-summary.py).

gws-israeli-business-sheets