The Agent Skills Directory

[DATA_EXFILTRATION]: The skill features a browser token extraction capability that directly reads sensitive session credentials and encryption keys from Chromium-based browser profile directories (LevelDB files) on the local disk. While documented as a feature, this bypasses standard OAuth authorization prompts and allows the agent to access the user's active web sessions. Evidence is found in SKILL.md and references/authentication.md where it describes scanning on-disk storage for credentials.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data from Webex messages and spaces. Ingestion points: The agent uses agent-webex message list and agent-webex snapshot to read external content (SKILL.md). Boundary markers: No markers or 'ignore' instructions are provided to help the agent distinguish between its instructions and the message data. Capability inventory: The agent has access to the Bash tool (for executing Webex CLI commands) and can send or delete messages. Sanitization: There is no mention of sanitizing or escaping the content read from external messages.
[COMMAND_EXECUTION]: The skill provides shell script templates in the templates/ directory that interpolate user-provided space IDs and message content directly into shell commands. This pattern creates a risk of command injection if the IDs or message strings are sourced from untrusted or maliciously crafted external inputs.

agent-webex