The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructs the agent to generate shell scripts in /tmp/ and execute them via bash. It also directs the agent to run uv run pytest to execute local Python test files.
Evidence: create_file /tmp/<task>.sh then bash execute it; uv run pytest dingtalk-<skill-name>/test_<module>_sdk.py.
[DATA_EXFILTRATION]: The skill processes sensitive information by reading .env files and the ~/.dingtalk-skills/config path to retrieve API tokens and secrets. While it sends this data to the well-known api.dingtalk.com service, the handling of raw credentials from the filesystem is a high-risk activity.
Evidence: env = pathlib.Path(".env").read_text(); ~/.dingtalk-skills/config (配置文件); TOKEN=$(bash scripts/dt_helper.sh --token).
[REMOTE_CODE_EXECUTION]: The skill uses Python's requests library and the alibabacloud_dingtalk SDK to interact with external API endpoints. It executes code that retrieves and processes data from these remote services during its testing phases.
Evidence: requests.post(f"https://api.dingtalk.com/v1.0/xxx/users/{uid}/items", ...).
[INDIRECT_PROMPT_INJECTION]: The skill has a surface for indirect injection as it reads and parses local SDK source files (client.py, models.py) using grep and sed. If these files were compromised, they could influence the agent's behavior during the 'exploration' phase.
Ingestion points: SDK file paths (e.g., /home/breath/project/personal/dingtalk-skills/tests/.venv/lib/python3.13/site-packages/alibabacloud_dingtalk/).
Boundary markers: Absent.
Capability inventory: Shell execution (bash), file-write, network operations (requests).
Sanitization: None documented for the parsing logic.

dingtalk-skill-creator