The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructs the agent to construct shell commands by interpolating parameters into a single-quoted curl payload in SKILL.md and references/tools-reference.md. This pattern is vulnerable to command injection if arguments, such as untrusted email bodies, contain single quotes that can terminate the JSON string and allow for execution of arbitrary shell commands on the host machine.
[PROMPT_INJECTION]: The skill processes untrusted incoming email content to drive automated workflows like sentiment classification and follow-up sequencing, creating an indirect prompt injection surface.
Ingestion points: The list_received_emails tool in classify-replies/SKILL.md and follow-up/SKILL.md reads external email bodies into the agent's context.
Boundary markers: Absent. There are no instructions to the agent to distinguish between system instructions and external email content or to ignore embedded instructions.
Capability inventory: The skill possesses the ability to send_email, add_email_tag, and manage audience segments, which could be abused by an attacker via crafted email content.
Sanitization: Absent. The instructions lack any requirement for validation, escaping, or sanitization of ingested email text.

outbound