The Agent Skills Directory

[DATA_EXFILTRATION]: The skill accesses sensitive browser session files and cookie stores (e.g., ~/.playwright-data/xiaohongshu/state.json and ~/.xiaohongshu/cookies.json) to perform automated actions. While intended for the primary purpose of auto-publishing, this represents high-privilege data access. Furthermore, the skill hardcodes a specific Telegram chat ID (8518085684) as the recipient for draft reviews and topic cards in scripts/draft_reviewer.py and scripts/topic_presenter.py, which would send user data to the author's account by default.
[PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection due to its ingestion of untrusted data from 10+ external social platforms without sanitization.
Ingestion points: scripts/aggregator/fetch_all.py scrapes titles, summaries, and descriptions from platforms including Weibo, 知乎, GitHub, Reddit, and LinuxDo.
Boundary markers: Absent; scraped content is interpolated directly into LLM prompts in scripts/topic_scorer.py and scripts/content_generator.py without clear delimiters.
Capability inventory: Subprocess command execution, automated social media publishing (scripts/auto_publisher.py), and Telegram messaging.
Sanitization: Absent; content is passed to LLMs as raw text strings.
[COMMAND_EXECUTION]: Multiple scripts utilize subprocess.run to execute system binaries, including curl for networking, pkill for browser management, and the pass password manager for credential retrieval.
[EXTERNAL_DOWNLOADS]: The aggregator fetches data from numerous external domains and APIs, including Viki.moe, Bilibili, GitHub, Reddit, and WeChat/Sogou search.

content-factory