The Agent Skills Directory

[COMMAND_EXECUTION]: Modifies the system crontab to establish long-term persistence.
Evidence: Phase 4C explicitly instructs the agent to bypass session-scoped cron tools and add a system crontab entry running remind.sh daily.
Evidence: Phase 8 adds another system crontab entry for sync.sh and diagnose-nudge.sh every three days.
[COMMAND_EXECUTION]: The generated done.sh script contains a command injection vulnerability.
Evidence: The script uses ids = [$(echo "$@" | sed 's/ /, /g')] to inject CLI arguments directly into a Python heredoc, which allows for arbitrary Python code execution if the input is not strictly numeric.
[CREDENTIALS_UNSAFE]: Programmatically harvests credentials from across the user's filesystem.
Evidence: bin/diagnose-nudge.sh iterates through registered projects and uses grep to extract TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID from .env files located in other project directories.
[DATA_EXFILTRATION]: Transmits project metadata and task descriptions to an external API via background processes.
Evidence: The remind.sh and diagnose-nudge.sh scripts use curl to send plan titles, task counts, and completion rates to the Telegram Bot API.
[REMOTE_CODE_EXECUTION]: Generates and executes multiple shell and Python scripts at runtime.
Evidence: The skill writes executable scripts (done.sh, remind.sh, sync.sh, diagnose-prep.sh) to the .plan/bin/ directory and executes them via the shell.
[PROMPT_INJECTION]: Vulnerable to indirect prompt injection through external data ingestion.
Evidence: The skill reads design documents and user-provided notes in Phase 1 to generate task breakdowns. These tasks are stored in markdown files and JSON, which are then processed by automated scripts and persistent cron jobs without sanitization or boundary markers.

actionize