The Agent Skills Directory

[DATA_EXFILTRATION]: The skill is designed to access and read highly sensitive local files, specifically targeting the macOS iMessage database at ~/Library/Messages/chat.db. It also instructs the agent to process other private communication archives like WeChat databases, which exposes private data to the AI context.
[REMOTE_CODE_EXECUTION]: The skill instructs the agent to use the npx command to download and execute the openpersona CLI tool and other skill management tools from the npm registry at runtime.
[EXTERNAL_DOWNLOADS]: Dependencies and tools are fetched from external sources at runtime via npx and potentially git clone during the installation and generation phases.
[COMMAND_EXECUTION]: The skill makes extensive use of the Bash tool to execute local Python scripts (preprocess.py, skill_writer.py, version_manager.py) and external command-line utilities like npx.
[PROMPT_INJECTION]: The skill presents a significant surface for indirect prompt injection. It ingests raw, untrusted data from sources such as chat exports, social media archives, and web search results. This content is processed without boundary markers or sanitization, allowing malicious instructions hidden within the source material to influence the agent's behavior.
Ingestion points: Untrusted data enters the context via the Read tool (local exports/files) and the WebSearch tool (public figure research).
Boundary markers: Instructions do not define specific delimiters or warnings to ignore embedded commands when processing these external data sources.
Capability inventory: The agent has access to Bash (for executing code), and Write/Edit (for modifying the local filesystem).
Sanitization: The instructions recommend redacting PII but do not provide mechanisms for filtering or escaping potential instructions embedded in the processed text.

create-anyone