The Agent Skills Directory

[DATA_EXFILTRATION]: The skill accesses the local Wispr Flow SQLite database at ~/Library/Application Support/Wispr Flow/flow.sqlite to retrieve voice dictation history. This access is essential for the skill's purpose and the data is used locally to generate recaps for the user.
[EXTERNAL_DOWNLOADS]: The generated HTML reports reference resources from external domains. These include the html2canvas library from cdnjs.cloudflare.com and application icons from legitimate sources like Apple's CDN (is1-ssl.mzstatic.com) and official product domains (e.g., cursor.sh, linear.app). All detected external references target well-known or trusted services.
[PROMPT_INJECTION]: The skill processes user-generated transcripts, which creates a surface for indirect prompt injection.
Ingestion points: Transcripts are retrieved from the History table in the local flow.sqlite database (specifically the formattedText column).
Boundary markers: The Node.js scripts use markdown headers and blockquotes to structure CLI output, and the HTML generator uses an escapeHTML helper function for rendering.
Capability inventory: The scripts have file system write access (fs.writeFileSync) to the user's Desktop. The agent's instructions in SKILL.md direct it to summarize and synthesize these transcripts, which could lead to following instructions embedded in the dictation history.
Sanitization: While HTML content is escaped to prevent browser-based attacks, the transcripts are not filtered for instructions that might target the AI's behavior during the summarization process.

wispr-flow