The Agent Skills Directory

[CREDENTIALS_UNSAFE]: A hardcoded Bearer Token is present in scripts/constants.ts (DEFAULT_BEARER_TOKEN). While this appears to be a public token used for the X web application, hardcoding authorization headers is a security risk.
[DATA_EXFILTRATION]: The skill accesses and manages sensitive authentication data. It reads from and writes to a cookie file (cookies.json) located in system-specific application support directories (~/Library/Application Support/baoyu-skills/ or ~/.local/share/baoyu-skills/). It also attempts to read Chrome profiles to extract session information.
[EXTERNAL_DOWNLOADS]: The scripts/media-localizer.ts file implements logic to download images and videos from arbitrary remote URLs found within tweet content to the local filesystem. This involves automated network requests to non-whitelisted domains such as pbs.twimg.com and video.twimg.com.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection.
Ingestion points: Untrusted data enters the context via the X API in scripts/thread.ts and scripts/graphql.ts when fetching tweet or article content.
Boundary markers: Content is formatted into Markdown, but there are no explicit delimiters or instructions to the agent to ignore embedded commands within the fetched text.
Capability inventory: The skill has the capability to write files to the local system (scripts/main.ts) and perform network operations (scripts/media-localizer.ts).
Sanitization: Filenames and slugs are sanitized to prevent path traversal, but the actual tweet/article content is not sanitized for malicious instructions before being passed to the agent.
[COMMAND_EXECUTION]: The documentation in SKILL.md instructs the user/agent to execute scripts using npx -y bun, which involves running a runtime manager and executing local scripts that perform filesystem and network operations.

baoyu-danger-x-to-markdown