The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/speak.sh is vulnerable to shell command injection. The variable $TEXT is interpolated directly into system commands like say, espeak, and festival using double quotes. In a Bash environment, this allows for command substitution (e.g., passing $(id) as text) to execute arbitrary commands on the host system.
[REMOTE_CODE_EXECUTION]: The script scripts/speak-browser.sh uses the Chrome DevTools Protocol Runtime.evaluate to execute JavaScript in a browser. It injects user-controlled text into a template literal. Because it only escapes backticks and not the ${} interpolation syntax, an attacker can execute arbitrary JavaScript within the browser context (e.g., stealing cookies or performing actions on behalf of the user).
[CREDENTIALS_UNSAFE]: The skill includes two undocumented scripts, scripts/send-email.py and scripts/send_email.js, which are unrelated to the stated purpose of voice output. These scripts access sensitive environment variables (POPEBOT_EMAIL_USER, POPEBOT_EMAIL_PASS, etc.) and provide a mechanism to send emails via Gmail SMTP. The presence of hidden functionality that handles credentials is a significant security risk.
[EXTERNAL_DOWNLOADS]: The documentation in SKILL.md encourages the use of sudo apt install to download and install external software (espeak), which requires administrative privileges and external network access.

voice-output