The Agent Skills Directory

[COMMAND_EXECUTION]: The skill's implementation hooks utilize dynamic module loading and extensive path traversal to interact with the host environment.
In hooks/post-execute.cjs, the script uses require() with a path computed at runtime: path.resolve(__dirname, '../../../../tools/observability/send-event.cjs'). This dynamic loading from a computed path is a security concern as it can be exploited to execute arbitrary code if an attacker can manipulate the file structure or the resolution logic.
Both hooks/pre-execute.cjs and hooks/post-execute.cjs perform file system operations (reading schemas and appending to event logs) using relative path traversal (../../../../) to access files multiple levels above the skill's root directory. This demonstrates a reliance on a specific external environment structure that may grant broader file system access than necessary.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to the ingestion and interpolation of untrusted user data into instructions.
Ingestion points: User-provided strings for topic, goal, and kpi are processed by scripts/main.cjs and intended for inclusion in content plans and briefs.
Boundary markers: The templates provided in templates/implementation-template.md do not utilize delimiters or specific instructions to prevent the agent from obeying commands embedded within the user-supplied fields.
Capability inventory: The skill is configured with the Bash, Read, and Write tools, providing a significant capability surface if an agent is successfully manipulated via injected instructions.
Sanitization: While hooks/pre-execute.cjs validates that the action and platform fields match expected enums, no sanitization, escaping, or filtering is performed on free-text inputs like topic to prevent them from containing malicious instructions.

marketing-content