The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill provides the agent with a 'write' capability to a public platform while processing untrusted data. * Ingestion points: The skill accepts text through CLI arguments in scripts/x-browser.ts and processes Markdown articles in scripts/x-article.ts. * Boundary markers: No delimiters or instructions are used to separate untrusted content from the agent's logic. * Capability inventory: Automates a real Chrome browser with persistent login sessions to post content. * Sanitization: While JSON.stringify is used for safe browser-side text insertion, there is no validation or filtering of the content itself.
[Command Execution] (MEDIUM): Potential AppleScript injection in scripts/paste-from-clipboard.ts. The targetApp parameter is directly interpolated into an AppleScript string (tell application \"${appName}\") without escaping or validation. An attacker controlling this parameter could execute arbitrary AppleScript code on macOS.
[Credential Safety] (LOW): The skill manages persistent Chrome profiles at ~/.local/share/x-browser-profile. These directories contain sensitive session cookies that could be targeted for exfiltration.
[Metadata/Missing Code] (LOW): Several referenced files (including x-article.ts, md-to-html.ts, and copy-to-clipboard.ts) are missing from the skill package, preventing a complete security verification of the article publishing workflow.

baoyu-post-to-x