The Agent Skills Directory

[COMMAND_EXECUTION]: Shell command injection vulnerabilities exist in multiple modes where user-provided input is directly interpolated into bash commands. In Mode 1 (Read), the instruction ls -1t "$INBOX"/*<topic>*.md uses the <topic> placeholder directly within a shell glob, allowing an attacker to execute arbitrary commands using metacharacters (e.g., ;, |, &). In Mode 2 (Write), the logic SLUG=$(echo "<topic>" | ...) is also vulnerable; because the placeholder is placed inside double quotes within an echo command, it remains susceptible to command substitution (e.g., $(...) or backticks).
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes and displays content from a shared directory that can be modified by other users or agents.
Ingestion points: The skill reads the full content of all .md files located in the ψ/inbox/ directory via the /inbox read commands.
Boundary markers: None; the skill does not use delimiters or provide the agent with instructions to ignore embedded commands within the inbox items.
Capability inventory: The skill has significant capabilities including file system modification (reading, writing, and moving files), directory creation, and arbitrary shell command execution.
Sanitization: No sanitization or validation is performed on the actual content of the files being read from the inbox.

inbox