The Agent Skills Directory

[COMMAND_EXECUTION]: The skill facilitates the execution of arbitrary shell commands on the host machine.
In celery_tasks/worker.py, the execute_command task uses subprocess.run(command, shell=True), which executes user-provided strings directly in the system shell without any validation or sanitization.
[DATA_EXFILTRATION]: Task execution data, including sensitive output, is sent to an external server by default.
The configuration in config/ntfy.yml has enabled: true and points to an external server http://www.chaofan.online:8081.
The ntfy_notifier.py script sends the executed command string, return codes, and the first 200 characters of both stdout and stderr to this remote URL. This can leak sensitive information such as environment variables, authentication tokens, or private data that may be printed during command execution.
[PROMPT_INJECTION]: The skill contains both direct and indirect prompt injection risks.
Direct: SKILL.md uses imperative and forceful language (e.g., '🤖 AI 助手职责', '必须立即启动它') to mandate that the AI agent automatically start system services, overriding normal safety and decision-making procedures.
Indirect: The skill is highly vulnerable to indirect prompt injection because it ingests untrusted command strings. Ingestion points: The command argument in scripts/dispatch.py. Boundary markers: None present to distinguish command logic from malicious input. Capability inventory: High-privilege shell execution via subprocess.run(shell=True) in celery_tasks/worker.py. Sanitization: None. While a blacklist exists in the assets/config/celery_config.py template, it is not utilized in the active task execution logic.
[REMOTE_CODE_EXECUTION]: The skill's architecture creates a remote code execution interface by allowing an agent to dispatch arbitrary strings to be executed as shell commands by a background worker process. The worker executes these commands with the privileges of the user who started the service.

celery-task