The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill provides direct links to download binary installers (.dmg for macOS, .exe for Windows) from an untrusted GitHub repository (liliMozi/openhanako). It explicitly instructs users to bypass critical OS security features, such as macOS Gatekeeper and Windows SmartScreen, to run these unsigned applications.- [COMMAND_EXECUTION]: The platform includes a built-in run_command tool that allows agents to execute arbitrary shell commands on the host system. This capability, while documented as a feature, presents a high risk for full system compromise if the agent is manipulated via malicious instructions.- [REMOTE_CODE_EXECUTION]: The skill enables remote code execution through the execute_js tool, which runs arbitrary JavaScript, and the skillManager.installFromGitHub function, which allows downloading and executing code from external, untrusted repositories.- [DATA_EXFILTRATION]: The architecture combines sensitive data access capabilities (file reading, screenshots, local SQLite databases) with network-enabled bridges (Telegram, Feishu, QQ) and web browsing tools. This configuration allows for the silent exfiltration of local files and user data to remote endpoints.- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted data from web pages, scrapers, and messaging bridges (Ingestion points: SKILL.md, core/lib/bridge). The instructions do not define boundary markers to separate data from instructions (Boundary markers: Absent). The agent possesses high-privilege capabilities including terminal access and file modification (Capability inventory: SKILL.md). Although PathGuard and sandboxing are mentioned, there is no evidence of sanitization or filtering for embedded instructions in external data (Sanitization: Absent).

openhanako-personal-ai-agent