The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): Potential AppleScript injection in scripts/export_keynote_presentation.py. The script uses Python f-strings to interpolate input_file and output_file directly into an AppleScript string that is then executed via osascript. An attacker providing a maliciously crafted file path (e.g., containing double quotes and newlines) could break out of the string literal and execute arbitrary AppleScript commands.
[COMMAND_EXECUTION] (HIGH): Similar AppleScript injection vulnerability in scripts/create_keynote_presentation.py. The title and save_path arguments are interpolated into an AppleScript block without any sanitization or escaping, allowing for local code execution through the scripting bridge.
[REMOTE_CODE_EXECUTION] (MEDIUM): The documentation in references/keynote-advanced.md promotes a 'Bridge Pattern' for chart generation. This pattern involves manually building AppleScript source code strings by concatenating JavaScript variables (like rowNames and dataRows) and executing them via app.runScript(asScript). This is a dangerous pattern that bypasses standard API safety and introduces injection risks.
[INDIRECT_PROMPT_INJECTION] (LOW): The skill contains a vulnerability surface for indirect prompt injection in scripts/markdown_to_keynote.py.
Ingestion points: The script reads and parses content from a user-supplied .md file.
Boundary markers: None used; the script treats all header and list content as direct text for slides.
Capability inventory: The skill allows full manipulation of Keynote, file system writes (exports), and indirect execution of AppleScript via other scripts in the package.
Sanitization: None; the script directly assigns parsed markdown strings to slide placeholders via PyXA.
[DATA_EXPOSURE] (LOW): scripts/create_presentation.js contains a hardcoded absolute path (/Users/richardhightower/...) which discloses local system username and directory structure.

automating-keynote