The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill contains a hardcoded authentication bearer token in the source code.
Evidence: scripts/constants.ts defines DEFAULT_BEARER_TOKEN with a static string credential used for API requests.
[DATA_EXFILTRATION]: The skill automates the extraction of sensitive session cookies from the user's browser.
Evidence: scripts/cookies.ts implements a mechanism to connect to a browser via Chrome DevTools Protocol (CDP) and execute Network.getCookies to retrieve auth_token, ct0, gt, and twid for X/Twitter domains.
[CREDENTIALS_UNSAFE]: Extracted session tokens are stored insecurely on the local file system.
Evidence: scripts/cookie-file.ts writes the retrieved session cookies to a plaintext JSON file (cookies.json) in the user's local application data directory without any encryption.
[COMMAND_EXECUTION]: The skill programmatically spawns browser processes with remote debugging capabilities.
Evidence: scripts/cookies.ts uses child_process.spawn to launch Chrome or Edge with the --remote-debugging-port flag, which exposes a control interface for the browser.
[COMMAND_EXECUTION]: The skill documentation instructs the agent to execute arbitrary shell commands for configuration and environment checks.
Evidence: SKILL.md contains instructions for the agent to execute commands such as cat and test -f on local system paths to manage user consent and preferences.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through the processing of untrusted external content.
Ingestion points: scripts/graphql.ts (retrieves tweet and article content from the X API).
Boundary markers: Absent; content is processed without delimiters or instructions to ignore embedded commands.
Capability inventory: scripts/main.ts executes writeFile; scripts/cookies.ts executes spawn and kill.
Sanitization: Absent; scripts/markdown.ts performs basic formatting but no safety-related sanitization of the input content.

baoyu-danger-x-to-markdown