The Agent Skills Directory

[COMMAND_EXECUTION]: The diagnostic routines utilize the $ARGUMENTS variable to populate shell command templates, including nslookup, ping, and curl. This pattern creates a risk of command injection if the AI agent passes unsanitized user input into these bash executions.
[DATA_EXFILTRATION]: The skill accesses the Clash Verge application data directory located at ~/Library/Application Support/io.github.clash-verge-rev.clash-verge-rev. This path contains profiles.yaml and other configuration files that store sensitive information such as proxy server credentials, subscription tokens, and access keys.
[COMMAND_EXECUTION]: The skill performs active reconnaissance on the local machine by scanning a range of network ports (e.g., 7890, 7897, 9097) using lsof to determine which proxy services are active.
[PROMPT_INJECTION]: The skill processes external data by reading and merging remote proxy subscription configurations into local files, creating a surface for indirect prompt injection. 1. Ingestion points: profiles.yaml and YAML files in the profiles/ subdirectory. 2. Boundary markers: The skill does not implement delimiters or warnings to ignore instructions that might be embedded in remote configuration files. 3. Capability inventory: The skill has the ability to execute bash commands and perform file write/edit operations based on the contents of these configurations. 4. Sanitization: There is no evidence of sanitization or structural validation for the YAML content fetched from remote subscriptions before it is processed.

clash-doctor