The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): The skill uses osascript (AppleScript) and python3 to execute commands on the host system. It utilizes JXA (JavaScript for Automation) to read files from /tmp/ and interact with the browser's execution engine.- [PROMPT_INJECTION] (HIGH): Article content (title and body) is interpolated into JavaScript strings that are executed in the browser. Fallback methods use manual string substitution rather than safe serialization, creating a risk that malicious content could break out of the string context and execute arbitrary JS in the browser.- [DATA_EXFILTRATION] (MEDIUM): The skill extracts the user's CSRF token and performs authenticated POST requests using the user's browser session. This mechanism facilitates the transfer of data from the agent context to a public platform via an authenticated session.- [INDIRECT_PROMPT_INJECTION] (HIGH):
Ingestion points: Processes technical blog posts and open source announcements likely sourced from external/untrusted input.
Boundary markers: Absent. There are no delimiters to isolate untrusted article content from the automation scripts.
Capability inventory: Shell execution via osascript, file system access via python3 and JXA, and authenticated network operations via the browser's fetch API.
Sanitization: Absent. Only superficial regex replacements (stripping ---) are performed, which do not mitigate injection attacks.- [LOW_SECURITY_POSTURE] (MEDIUM): The prerequisite to enable 'Allow JavaScript from Apple Events' in Chrome significantly weakens the browser's security model, as it allows any local process to execute scripts in the context of any website where the user is logged in.

devto-post