The Agent Skills Directory

[COMMAND_EXECUTION]: The file save API (DashboardTemplate/App/api/file/save/route.ts) and the upload API (DashboardTemplate/App/api/upload/route.ts) are vulnerable to path traversal. Both endpoints use path.join with user-provided filenames without sanitization, allowing an attacker to overwrite sensitive system files (e.g., .bashrc, .ssh/authorized_keys) by using ../ sequences.
[DATA_EXFILTRATION]: The AI chat functionality (DashboardTemplate/App/api/chat/route.ts) automatically gathers the entire contents of the user's Personal TELOS directory. This includes highly sensitive documents such as TRAUMAS.md, BELIEFS.md, WISDOM.md, and GOALS.md. This data is injected into the system prompt and sent to an external inference tool, exposing the user's private life context to a third-party AI provider.
[COMMAND_EXECUTION]: The skill's main instruction file (SKILL.md) mandates a voice notification requirement that forces the execution of a curl command to a local endpoint (http://localhost:8888/notify) immediately upon every invocation of the skill.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8). The dashboard allows users to upload .md and .csv files which are then indexed and used as system context for the AI assistant without sanitization or boundary markers. A malicious file could contain hidden instructions that cause the assistant to leak data or ignore safety constraints when the user interacts with the 'Ask' feature.
[COMMAND_EXECUTION]: The chat API uses child_process.spawn to execute a local Bun script (Inference.ts) to handle AI requests. While the path is rooted in the home directory, the reliance on spawning local processes for core functionality increases the attack surface if combined with other vulnerabilities.

Telos