The Agent Skills Directory

[COMMAND_EXECUTION] (MEDIUM): In scripts/phone_call.sh, shell variables like $CALL_ID and $FLUENTS_API_URL are interpolated directly into a Python command string passed to python3 -c. If the external API (fluents.ai) returns a malicious ID containing Python delimiters (e.g., single quotes), it could result in arbitrary code execution on the user's system.
[PROMPT_INJECTION] (LOW): The skill's primary function involves retrieving and analyzing call transcripts from an external service. These transcripts contain untrusted data from third-party callers. Without proper boundary markers or sanitization, this content could be used to perform indirect prompt injection attacks against the AI agent.
Ingestion points: Transcripts are fetched via scripts/get_call_result.py.
Boundary markers: None identified in the prompt templates or scripts.
Capability inventory: The skill provides scripts for making calls, downloading recordings, and running diagnostics, all of which run in the local environment.
Sanitization: No sanitization or validation of the transcript content is performed before processing.
[DATA_EXFILTRATION] (LOW): The diagnostic script scripts/diagnose.py logs partial fragments of the FLUENTS_API_KEY (first 10 and last 4 characters). While not a full exposure, logging secret fragments is a poor security practice that can lead to credential leakage in shared log environments.
[EXTERNAL_DOWNLOADS] (LOW): scripts/get_recording.py downloads MP3 files from api.fluents.ai to the local filesystem without verifying the source's integrity or performing content validation, posing a minor risk of file-based attacks if the endpoint is compromised.

phone-call