The Agent Skills Directory

Prompt Injection (MEDIUM): The skill employs aggressive override markers (e.g., '🚨 CRITICAL', 'ALWAYS', 'NEVER') to dictate agent behavior and tool selection workflows. These patterns are characteristic of instructions designed to suppress an agent's internal safety filters or decision-making reasoning.
Indirect Prompt Injection (LOW): The skill possesses a high vulnerability to indirect instructions embedded in the user's UI or processed data.
Ingestion points: The search <text> and find <name> commands read content directly from the user's screen or UI elements, which could contain malicious instructions.
Boundary markers: None are present; there are no instructions for the agent to differentiate between UI data and operational commands.
Capability inventory: High-privilege OS control including keyboard simulation (write, press), system-level hotkeys (hotkey), and persistent macro execution (seq-run).
Sanitization: No validation or sanitization of ingested screen data is documented before the data is used to drive actions.
Metadata Poisoning (MEDIUM): The skill's metadata is deceptive; the YAML frontmatter claims it 'NEVER' uses fixed coordinates, yet the command reference and examples explicitly define and demonstrate the use of click X Y and move X Y functionality.
Dynamic Execution (MEDIUM): The sequence management system allows for the creation (seq-create) and execution (seq-run) of persistent macro scripts stored in ~/.copilot/skills/macro-agent/data/sequences/. This creates a mechanism for persistent malicious actions if a sequence is successfully poisoned.

macro-agent