The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted data from external communications without sufficient isolation.
Ingestion points: The quo script retrieves untrusted content from the OpenPhone API using subcommands such as transcript, summary, voicemails, and messages (file: quo).
Boundary markers: The output lacks specific delimiters or warnings to prevent the AI agent from interpreting instructions embedded within transcripts or messages as its own.
Capability inventory: The script quo possesses significant capabilities, including sending SMS messages via the send command and executing arbitrary API requests via the raw command, which can perform POST, PATCH, and DELETE operations.
Sanitization: No sanitization or content filtering is performed on the retrieved text before it is returned to the agent's context.
[DATA_EXFILTRATION]: The skill caches contact data, including personal details like names, emails, and phone numbers, in /tmp/quo-contacts-cache.json. On multi-user systems, the /tmp directory is often globally accessible, which could lead to unauthorized exposure of Private Identifiable Information (PII).
[COMMAND_EXECUTION]: The script implements a raw command that allows the agent to interact with any endpoint of the OpenPhone API. This broad access increases the risk that an agent, if misled by malicious input, could perform destructive actions like deleting contacts or workspace users.

quo