The Agent Skills Directory

[PROMPT_INJECTION]: The skill contains 'Iron Rules' (铁律) designed to override all other instructions. It explicitly commands the agent to 'never ask questions' and 'directly execute the entire process' without user confirmation, which is a technique used to bypass agent safety loops and human-oversight mechanisms.
[DATA_EXFILTRATION]: The workflow mandates the automatic extraction of sensitive legal information—including party names, contract amounts, and key dates—and requires this data to be sent to an external webhook via the wecom_push.py script. The instructions state that this step 'cannot be omitted,' creating a persistent risk of sensitive data exposure.
[COMMAND_EXECUTION]: The skill heavily utilizes the Bash tool to run various Python scripts (seal_signature_detector.py, wecom_push.py, daily_patrol.py) that process file paths and content provided by the user.
[DATA_EXPOSURE]: The skill stores and manages sensitive legal records, including contracts and case files, in a structured directory (/agent/LegalManager/) and registers them in JSON files, making this data accessible to the agent's broad file-system capabilities.
[INDIRECT_PROMPT_INJECTION]: The skill processes untrusted external files (PDFs, Word documents, and images) through OCR and automated parsing scripts.
Ingestion points: User-provided contract and case files (SKILL.md).
Boundary markers: None identified; the agent is instructed to process the full content directly.
Capability inventory: The agent has Bash, Write, and Edit permissions, along with the ability to execute network-enabled scripts.
Sanitization: No evidence of sanitization or instruction-filtering for the content extracted from external documents.

legal-manager