The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it incorporates external, untrusted content from social media and version control systems into LLM prompts.
Ingestion points: Untrusted data is retrieved from X posts (scripts/capture.sh), GitHub commit messages (scripts/git-activity.sh), and xAI Grok social intelligence scans (scripts/scan.sh).
Boundary markers: The prompt template in scripts/draft.sh uses clear section headers (e.g., === YOUR VOICE ===, === RECENT GIT ACTIVITY ===, === TRENDING RIGHT NOW ===) to help the model distinguish between instructions and external data.
Capability inventory: The skill has the ability to make API calls to Claude and Grok, execute local shell and TypeScript scripts, and serve a local web interface.
Sanitization: The skill uses jq to ensure that external data is properly escaped for JSON payloads, mitigating basic injection and schema confusion attacks.
[EXTERNAL_DOWNLOADS]: The skill performs network operations to well-known and trusted service providers. It communicates with api.x.com for social media data, api.anthropic.com for content drafting, api.x.ai for search-augmented intelligence, and api.github.com for developer activity tracking.
[COMMAND_EXECUTION]: The skill utilizes several mechanisms for dynamic and local execution to provide its functionality.
Local Script Spawning: The TypeScript-based playground (scripts/playground.ts) uses Bun.spawn to run image generation scripts. These calls are limited to local scripts within the skill's ecosystem.
Dynamic Script Generation: The scripts/preview.sh script generates and executes a temporary Python script via a heredoc to inject data into an HTML preview. While this is used for legitimate local formatting, the use of shell variable expansion inside the Python block (e.g., $USERNAME and $IMAGE_PATH) without strict character sanitization is a weak pattern that could theoretically be exploited if an attacker could control those specific metadata fields.

persona