The Agent Skills Directory

[COMMAND_EXECUTION]: The skill constructs and executes shell commands (e.g., node "$CLI" ...) that include the $QUERY variable and structured filters derived from natural language user input ($ARGUMENTS). If the agent fails to properly sanitize or escape these variables, a malicious user could provide input containing shell metacharacters (such as ;, &, |, or backticks) to execute arbitrary commands on the underlying system.
[CREDENTIALS_UNSAFE]: In Step 0, the skill instructs the agent to export a sensitive API key to the environment (export VP_API_KEY="<api_key>"). While this is a standard pattern for many CLI tools, it exposes the credential to any subsequent processes or scripts running in the same shell environment.
[DYNAMIC_EXECUTION]: The skill utilizes node -e to execute a JavaScript snippet for parsing JSON data from temporary files. While the code template provided in the skill is static, this pattern of dynamic execution on files containing external data increases the attack surface.
[INDIRECT_PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes data fetched from an external source (the Vibe Prospecting API) and presents it to the user. If an attacker can influence the data returned by the API (e.g., by controlling a business's public profile), they could inject instructions aimed at the agent.
Ingestion points: Data fetched via the vibep.js CLI tool and stored in temporary JSON files (e.g., /tmp/vibep-results.XXXXXX.json).
Boundary markers: No specific delimiters or "ignore instructions" warnings are used when the agent reads and summarizes the fetched data.
Capability inventory: The agent has access to shell execution, file system reads/writes, and network operations through the provided tools.
Sanitization: The skill does not specify any validation or sanitization of the data retrieved from the external service before it is processed by the agent.

generate-list