The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/qq_email.py invokes the pass command-line utility to fetch email authorization codes. While it uses an argument list to avoid shell injection, this interaction with a local password manager introduces complexity that requires careful input handling.\n
Evidence: The function get_auth_code in scripts/qq_email.py uses subprocess.run([\"pass\", \"show\", path], ...) to retrieve credentials.\n- [DATA_EXFILTRATION]: A path traversal vulnerability exists in the credential retrieval logic within scripts/qq_email.py. The script constructs the path for the pass utility directly from the user-provided --account argument without validation. This could allow an attacker to read unauthorized secrets from the user's password store by providing a path containing directory traversal sequences (e.g., ../../other_secret).\n
Evidence: The path variable in get_auth_code is formatted as f\"email/qq/{account}\" where account is an unvalidated input parameter.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted data from external emails which could contain malicious instructions for the agent.\n
Ingestion points: scripts/qq_email.py fetches email headers and bodies through the IMAP protocol from imap.qq.com.\n
Boundary markers: Absent. Email content is presented to the agent without delimiters or explicit instructions to ignore potentially malicious commands embedded in the text.\n
Capability inventory: The skill possesses the ability to send and reply to emails via SMTP (smtplib.send_message), which could be abused if the agent follows instructions found within a processed email.\n
Sanitization: Absent. The script performs basic HTML-to-text conversion but does not sanitize content to prevent it from being interpreted as instructions by the language model.

qq-email-operator