The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The workflow.py script executes an external Python file located at a hardcoded absolute path (/Users/rami/Documents/life-os/ai-agents-config/skills/obsidian-semantic-linker/scripts/link_notes.py). This allows the execution of code that is not part of the audited skill bundle, which could be modified by other processes or users.
[COMMAND_EXECUTION]: The skill makes extensive use of subprocess.run to orchestrate various Python scripts and browser automation tools, providing a wide surface for potential command injection if parameters were to be influenced by external data.
[DATA_EXFILTRATION]: In exporter.py, the skill uses a shared browser context directory via get_shared_context_path(). This practice can lead to the exposure of sensitive login sessions, cookies, and other personal data if the browser profile is shared across different agent tasks or applications.
[PROMPT_INJECTION]: The processor.py script processes transcription data from an external CSV file and writes it directly into markdown files without sanitizing the content. This creates an indirect prompt injection surface.
Ingestion points: scripts/processor.py reads data from exported CSV files.
Boundary markers: Uses markdown frontmatter (---) but lacks explicit instructions for the agent to ignore instructions embedded within the transcription body.
Capability inventory: workflow.py can execute arbitrary commands via subprocess.run; processor.py and linker.py perform filesystem write operations.
Sanitization: Filenames are sanitized for illegal characters, but the transcription content itself is not validated or filtered.

letterly-automation