The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its core functionality of ingesting untrusted external data.
Ingestion points: The skill reads content from L10 meeting notes (data/meetings/l10/), CRM records (Attio/HubSpot), calendar events, and email messages (Gmail).
Boundary markers: The skill lacks explicit delimiters or instructions to ignore embedded commands within the ingested data before processing it for synthesis.
Capability inventory: The skill possesses Bash (command execution) and Write (file modification) capabilities, which could be targeted by injected instructions.
Sanitization: No sanitization or validation logic is defined to filter out potentially malicious natural language instructions from the processed data.
[COMMAND_EXECUTION]: The skill utilizes the Bash tool to perform filesystem operations, such as searching for the .ceos marker file and scanning for deliverables. While consistent with its stated purpose of repository management, the presence of shell execution capabilities increases the potential impact of other vulnerabilities.

ceos-scorecard-autopull