The Agent Skills Directory

[COMMAND_EXECUTION]: The install.sh script performs system-level operations using sudo, including the installation of system dependencies via apt, database creation, and the compilation of the pgvector extension from source code.
[COMMAND_EXECUTION]: The message handling logic in workflows/handle_message.js and workflows/on_event.js uses child_process.spawn to dynamically execute local Python scripts. User-provided text from WeChat messages is passed directly as command-line arguments to these scripts.
[EXTERNAL_DOWNLOADS]: The installation script fetches the pgvector source code from its official repository on GitHub and installs numerous packages from the NPM and PyPI registries. These are standard operations for setting up the skill's required environment.
[PROMPT_INJECTION]: The skill acts as an interface between untrusted WeChat users and an LLM, making it a surface for indirect prompt injection.
Ingestion points: Incoming messages, file attachments (DOCX, PDF), and images (OCR) are processed in bot.js and passed to the logic layer.
Boundary markers: No specific delimiters or safety instructions were observed in the JavaScript wrappers to prevent the LLM from following instructions embedded in user messages.
Capability inventory: The skill possesses the ability to execute local scripts, read/write to the local filesystem (in /tmp), and communicate with external APIs (LLM providers and Telegram).
Sanitization: There is no evidence of explicit sanitization or filtering of the content received from WeChat before it is sent to the LLM scripts.
[CREDENTIALS_UNSAFE]: The skill's configuration pattern relies on a .env file to store sensitive information such as the WECHATY_TOKEN, LLM_API_KEY, and TELEGRAM_BOT_TOKEN. These credentials are used as environment variables or passed as CLI arguments, which can potentially expose them in system process listings.

wecom-automation