Freelancer Toolkit

The Freelancer Toolkit is a comprehensive skill bundle for time tracking and project management, but it contains path traversal vulnerabilities in its reporting and export logic. Specifically, the script `scripts/client-report.sh` and the instructions in `SKILL.md` use unsanitized client names to construct file paths for writing reports and invoices (e.g., `client-report-${SAFE_NAME}.md`). This lack of input sanitization could allow for arbitrary file overwrites if a malicious client name is introduced into the local database, potentially via indirect prompt injection. While the bundle is well-documented and lacks evidence of intentional malice or data exfiltration, these security flaws pose a risk to the host system.