The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/maimai.py executes shell commands by sourcing a file path provided via the --env command-line argument. This pattern is vulnerable to shell injection if the file path or contents are manipulated.
Evidence: subprocess.run(["/bin/sh", "-c", f". {env_file} && env"], ...) in scripts/maimai.py.
Risk: If an attacker can influence the path passed to the --env parameter, they can achieve arbitrary code execution in the context of the agent.
[DATA_EXFILTRATION]: The skill manages and transmits highly sensitive authentication material, including session cookies and access tokens.
Evidence: The script retrieves COOKIE_ACCESS_TOKEN, COOKIE_SESSION, and COOKIE_CSRFTOKEN from local environment files to authenticate requests to maimai.cn.
Risk: While sent to the legitimate vendor domain, the handling of these secrets in temporary shell scripts (/var/minis/offloads/env_cookies_maimai_cn_XXXXXXXX.sh) increases the risk of local credential exposure.
[PROMPT_INJECTION]: The skill processes untrusted user-generated content from Maimai posts, creating a surface for indirect prompt injection.
Ingestion points: Content retrieved from maimai.cn via API or browser-based scraping in scripts/maimai.py and SKILL.md.
Boundary markers: No explicit delimiters or instructions are provided to the agent to treat the fetched content as untrusted data.
Capability inventory: The agent has the ability to execute shell commands, perform network operations via curl, and use the browser_use tool.
Sanitization: There is no evidence of filtering or sanitizing the retrieved post text before it is presented to the LLM for summarization.

maimai-hub