The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: scripts/copy-to-clipboard.ts contains a getMacSwiftClipboardSource function that stores raw Swift source code as a string. At runtime, this code is written to a temporary file and executed using the system's swift interpreter to interact with the macOS clipboard.
[EXTERNAL_DOWNLOADS]: The scripts/md-to-html.ts script contains a downloadFile function that uses the http and https modules to fetch remote files from URLs found within processed Markdown documents. It uses a generic browser User-Agent to avoid being blocked.
[COMMAND_EXECUTION]: Multiple scripts (scripts/paste-from-clipboard.ts, scripts/copy-to-clipboard.ts) construct and execute shell commands using node:child_process. This includes running AppleScript via osascript on macOS and PowerShell scripts on Windows to simulate real user keyboard events like 'Cmd+V' or 'Ctrl+V'.
[COMMAND_EXECUTION]: The skill launches the Google Chrome browser with the --remote-debugging-port and --disable-blink-features=AutomationControlled flags. This allows the scripts to maintain full programmatic control over a real browser session, including access to persistent user cookies and session data.
[PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface in scripts/md-to-html.ts. It parses untrusted Markdown content from external files and automatically processes embedded links and images, which could be used to trigger unwanted network requests or data ingestion without explicit user confirmation.

baoyu-post-to-x