The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses shell commands (mkdir, mv, curl, yt-dlp) with variables derived from external, untrusted content (X article titles, author names, and image URLs).
Evidence: In SKILL.md, variables like ${NEW_TITLE}, ${AUTHOR}, and ${TWEET_ID} are used in commands such as mv "$OLD_DIR" "/path/to/x-to-markdown/{作者}/${NEW_TITLE}". If an attacker crafts an X article with a title containing shell metacharacters (e.g., ; rm -rf /), it could lead to arbitrary command execution on the host system if the agent does not properly sanitize these strings.
[DATA_EXFILTRATION]: The skill exposes and accesses sensitive local file system paths.
Evidence: The skill hardcodes an absolute path in the user's home directory: /Users/lytton/mac_wps_clound/Obsidian笔记知识库/宝藏资源库/x-to-markdown/. This exposes the author's local username (lytton) and internal directory structure, which is considered a sensitive information leak.
[EXTERNAL_DOWNLOADS]: The skill downloads content from external domains.
Evidence: It uses curl to fetch images from Twitter's CDN (twimg) and yt-dlp to download videos from x.com. While these are well-known services relevant to the skill's purpose, they involve fetching data from external URLs.
[INDIRECT_PROMPT_INJECTION]: The skill has an attack surface for indirect prompt injection because it ingests untrusted data from the web and uses it to drive subsequent actions.
Ingestion points: Data is ingested via agent-browser snapshot -c from X.com (SKILL.md).
Boundary markers: No explicit boundary markers or instructions to ignore embedded commands are present in the processing logic.
Capability inventory: The skill utilizes mkdir, mv, curl, and yt-dlp (SKILL.md).
Sanitization: The instructions mention replacing special characters in the author's name, but the shell command templates themselves do not implement programmatic sanitization of the article titles or metadata.

x-article-downloader