The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses the Bash tool to execute opencli commands and shell utilities like sed and cat. This includes executing commands with diagnostic flags and running the patched adapters.
[PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection. It ingests untrusted data from external websites (DOM snapshots and network requests) via the diagnostic.json file and uses this data to make decisions about how to patch code. An attacker-controlled website could include malicious instructions in its DOM or API responses to influence the agent's code generation logic.
Ingestion points: The page.snapshot and page.networkRequests fields in the diagnostic JSON generated by the opencli tool.
Boundary markers: Absent. The skill does not instruct the agent to use delimiters or ignore instructions within the processed web content.
Capability inventory: The skill has Read, Edit, Write, and Bash capabilities, which are used to modify adapter files and execute them.
Sanitization: Absent. The skill performs no validation or sanitization of the external content before analysis.
[REMOTE_CODE_EXECUTION]: The skill implements a self-repair loop (Category 10: Dynamic Execution) where it writes new TypeScript/JavaScript code to an adapter file and then executes that file via the opencli command. If the generated code is influenced by malicious external data (as noted in the prompt injection finding), it results in the execution of arbitrary code on the user's system.
[DATA_EXFILTRATION]: While not directly exfiltrating data, the skill reads files based on the RepairContext.adapter.sourcePath variable provided by the tool's diagnostic output. If this path is manipulated or if the tool is tricked into pointing to sensitive files (e.g., .env, .ssh/id_rsa), the skill will read that content into the agent's context where it could be exposed.

qiaomu-opencli-autofix