The Agent Skills Directory

REMOTE_CODE_EXECUTION (CRITICAL): The SKILL.md and scripts/ensure_deps.py files provide commands and instructions to download and execute code directly from a remote URL using a shell pipe (curl -LsSf https://astral.sh/uv/install.sh | sh). This pattern is a confirmed remote code execution vector as it executes unverified content with the user's shell privileges.
DATA_EXFILTRATION (HIGH): The script scripts/fix_transcript_enhanced.py implements a function find_glm_api_key that programmatically reads sensitive shell configuration files, including ~/.zshrc, ~/.bashrc, .bash_profile, and .profile. While the stated purpose is to find an API key, this behavior allows the script to read and potentially expose any private environment variables, aliases, or credentials stored in those files.
COMMAND_EXECUTION (MEDIUM): Multiple components, including scripts/fix_transcript_enhanced.py and scripts/ensure_deps.py, utilize the subprocess module to execute system commands (uv, open, xdg-open). Although the skill includes internal path validation logic, the reliance on external command execution for core functionality increases the overall attack surface.
PROMPT_INJECTION (LOW): The scripts/core/ai_processor.py script interpolates raw transcript data directly into an LLM prompt using the {chunk} placeholder. The lack of robust sanitization or clear boundary markers makes the system vulnerable to indirect prompt injection if a transcript contains malicious instructions designed to hijack the model's output or leak sensitive context.
Ingestion points: scripts/core/ai_processor.py (via processing of transcript chunks).
Boundary markers: Absent; rely on standard text labels without "ignore embedded instructions" warnings.
Capability inventory: Network access (GLM API), local file system access, and command execution capabilities.
Sanitization: None observed; transcript content is processed as-is.

transcript-fixer