The Agent Skills Directory

[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface as it reads and processes user-provided files (strategies, leads, and content) from the local workspace. Maliciously crafted content within these source files could potentially manipulate the agent's behavior during the summary generation or packaging process. Evidence includes: 1) Ingestion points: files within the clients/<client_name>/ subdirectories. 2) Boundary markers: Absent. 3) Capability inventory: local file system access and Google Sheets write capabilities. 4) Sanitization: No explicit content validation or escaping is performed.
[COMMAND_EXECUTION]: The playbook utilizes shell commands (mkdir -p) to establish the delivery directory structure. Using unvalidated inputs such as client_name and date within these commands presents a potential risk of command injection if the execution environment does not apply rigorous escaping to these parameters.
[DATA_EXFILTRATION]: The skill extracts data from local files and uploads it to Google Sheets. While this is the intended functionality and targets a well-known service (Google) via a vendor-provided MCP server ('rube'), it constitutes a transfer of local workspace data to an external cloud platform.

client-package-local