The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection. It retrieves article titles and content from the external website 'jiuyangongshe.com' and interpolates them directly into LLM prompts in a_stock_watcher/ai_parser.py (using PARSE_PROMPT and IMAGE_PARSE_PROMPT).
Ingestion points: Data is ingested via Playwright scrapers in a_stock_watcher/sources/ which target community-contributed articles.
Boundary markers: There are no boundary markers or instructions to ignore embedded commands within the ingested content.
Capability inventory: The skill has significant capabilities including file system access (SQLite DB and session storage), network access (scraping), and the ability to execute Bash commands via uv and python3 as defined in allowed-tools.
Sanitization: No sanitization or filtering is performed on the scraped text before it is sent to the Gemini AI model.
[COMMAND_EXECUTION]: The skill requires the ability to execute various shell commands to manage its environment and run its logic. SKILL.md specifies allowed-tools for Bash(uv:*), Bash(python3:*), and Bash(gemini:*). While necessary for the skill's function (e.g., uv sync, playwright install), this provides a broad execution surface that could be exploited if the agent is compromised via prompt injection.
[CREDENTIALS_UNSAFE]: The skill manages sensitive information including JIUCAI_PHONE, JIUCAI_PASSWORD, and GEMINI_API_KEY. The a_stock_watcher/auth.py script automates the login process and stores session cookies in data/auth_state.json. While this is part of the intended functionality for a scraping tool, the handling of plaintext credentials in .env files and the storage of session states increases the risk profile if the local environment is accessed.

jiucai-capture