The Agent Skills Directory

[COMMAND_EXECUTION]: The helper script scripts/todo.sh contains a shell command injection vulnerability. User-provided input (such as task names or search patterns) is passed as arguments to the script and then evaluated within double-quoted strings in commands like grep and sed. For example, the mark_done and remove_item functions use the $pattern variable inside a double-quoted string: grep -q "- \[ \].*$pattern". If a string containing shell metacharacters like $() or backticks is provided, the shell will execute the embedded commands during script execution.
[PROMPT_INJECTION]: The skill presents an indirect prompt injection surface by ingesting and storing untrusted user content in the TODO.md file, which is later read back into the agent's context. 1. Ingestion points: User-provided task descriptions and search patterns are stored in TODO.md and passed as command-line arguments as defined in SKILL.md. 2. Boundary markers: No delimiters or instructions to ignore embedded commands are present when the agent reads the TODO.md file. 3. Capability inventory: The skill executes subprocesses via the bash interpreter as defined in SKILL.md. 4. Sanitization: The skill performs no validation, escaping, or sanitization of input strings before they are used in shell commands or written to the filesystem.

todo-tracker