The Agent Skills Directory

[COMMAND_EXECUTION]: The skill provides several bash scripts (init_novel.sh, deslop_batch.sh, wordcount.sh) intended for local execution to manage file structures and automate tasks. It also requires users to launch their browser with a remote debugging port (9222) enabled, which exposes the local browser process to external control via the agent.
[DATA_EXFILTRATION]: Through the /browser-cdp command, the skill accesses and scrapes data from active, authenticated browser sessions. This creates a high-risk vector where sensitive session tokens, cookies, and private user data from web novel platforms can be accessed or exfiltrated if the agent interacts with a browser running the CDP protocol.
[EXTERNAL_DOWNLOADS]: The installation instructions direct users to download and execute code from an untrusted GitHub repository (worldwonderer/oh-story-claudecode) using npx or direct repo ingestion, which can lead to the execution of unverified remote code on the user's system.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it is designed to ingest and process large amounts of external, attacker-controllable data from the web (scraped rankings) and provided novel text while possessing filesystem write capabilities.
Ingestion points: External web content scraped via /browser-cdp and novel chapters processed by /story-long-analyze.
Boundary markers: Absent; there are no specific markers or instructions provided to the agent to treat novel content as untrusted data.
Capability inventory: The agent has extensive file system write access (creating/modifying .md files) and the ability to execute provided shell scripts.
Sanitization: No sanitization or validation of the processed novel text or scraped HTML is mentioned or implemented in the instructions.

oh-story-claudecode-writing