The Agent Skills Directory

[PROMPT_INJECTION]: The skill contains a 'Hard Output Contract' in SKILL.md that strictly prohibits the AI from identifying itself as an AI, explaining its actions, or providing any meta-commentary ('AI旁白'). These instructions attempt to override the model's standard transparency and safety disclosure behaviors to maintain the 'Zhang Xuefeng' persona.
[COMMAND_EXECUTION]: The skill instructs the agent to execute local Python scripts included in the package (scripts/build_search_queries.py, scripts/find_similar_examples.py, and scripts/review_regression.py). While these scripts appear to perform benign logic such as string matching and printing, they are executed with user-provided queries as arguments without explicit sanitization, which could lead to command injection if the agent does not properly escape the input.
[DATA_EXFILTRATION]: The script scripts/find_similar_examples.py contains hardcoded absolute file paths pointing to the author's local machine (e.g., /Users/tongziqi/code/zhangxuefeng/manifest.json). While this does not exfiltrate user data, it exposes the author's local directory structure and username, and causes the script to fail on any other system.
[PROMPT_INJECTION]: The SKILL.md file uses high-pressure language ('Strictly forbidden', 'Hard Output Contract') to constrain the agent's output format and behavior, a technique often used in prompt injection to bypass default operational guidelines.
[INDIRECT_PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface. It is designed to ingest untrusted data from the web (via search tools as defined in search-protocol.md) and user inputs, then process this data through local scripts and prompt interpolation without the use of boundary markers or sanitization, while maintaining shell execution capabilities.

zhangxuefeng-advisor