The Agent Skills Directory

[COMMAND_EXECUTION]: Path traversal vulnerability in the type definition command. The type-add command in cli.js accepts user-defined type names without sanitization. These names are subsequently used as path components in lib/store.js (getObjectPath), enabling the creation of directories and YAML files, as well as the deletion of existing files, outside the notebook/ directory and potentially across the broader workspace.
[PROMPT_INJECTION]: Indirect prompt injection surface identified in the data retrieval workflow. The skill stores user-provided text in YAML files which are later read and processed by the agent to generate questions or display information.
Ingestion points: CLI arguments for the add and edit commands in cli.js stored via lib/store.js functions.
Boundary markers: No delimiters or instructional guards are present when content is retrieved and presented to the agent in the expand and get commands.
Capability inventory: File system read, write, and delete operations restricted to the workspace.
Sanitization: No validation or filtering is performed on stored content to prevent the inclusion of malicious instructions.
[EXTERNAL_DOWNLOADS]: The package-lock.json file specifies version 13.0.0 for the uuid package. This version is not currently available on the official NPM registry for the standard uuid library, which represents an anomalous dependency configuration.

notebook