The Agent Skills Directory

[COMMAND_EXECUTION]: The shell scripts scripts/insert-freshbooks.sh, scripts/query-freshbooks.sh, and scripts/query-intervals.sh are vulnerable to SQL injection. They construct SQL queries for the sqlite3 command-line tool by directly interpolating variables (such as $PROJECT, $DESCRIPTION, $FROM, and $TO) without sanitization. If data ingested from the Intervals service contains malicious SQL fragments, it can result in arbitrary SQL execution within the local database context.
[CREDENTIALS_UNSAFE]: The skill requires access to sensitive files, specifically the FreshBooks API credentials located at ~/.config/freshbooks/credentials.json. It also specifies access to a local database at a hardcoded path in the user's home directory (/home/olivier/Code/github.com/olivoil/obsidian).
[DATA_EXFILTRATION]: The skill's workflow involves reading data from a local database and transmitting it to the FreshBooks external API. While this is the intended sync behavior, it facilitates the movement of local data to an external service.
[COMMAND_EXECUTION]: The skill utilizes browser automation capabilities via the Chrome remote debugging port (9222) to interact with the FreshBooks web interface, allowing programmatic control over the user's browser session and navigation.
[PROMPT_INJECTION]: The skill exhibits a significant attack surface for indirect prompt injection.
Ingestion points: Data enters the agent context from the intervals_time_entries table in the local SQLite database (via scripts/query-intervals.sh).
Boundary markers: None are present to delimit the external data or warn the agent about embedded instructions.
Capability inventory: The skill can perform database writes (insert-freshbooks.sh), network operations (FreshBooks API via freshbooks-api.sh), and local filesystem writes (write-vault-section).
Sanitization: There is no evidence of escaping, validation, or filtering of the content retrieved from the database before it is used in further operations.

freshbooks-time-entry