The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to the handling of external data from social media platforms.
Ingestion points: The agent is instructed to analyze "viral posts" from search results and discovery pages (SKILL.md) and process "comment lists" for automated replies (references/prompt-templates.md).
Boundary markers: The templates in references/prompt-templates.md (e.g., for "Viral post analysis" and "Comment reply") interpolate external data directly using placeholders like {爆款链接或原文} and {评论列表} without utilizing XML delimiters or explicit instructions to ignore embedded commands.
Capability inventory: The skill has the capability to generate and potentially publish content/replies via browser profiles and account sessions (SKILL.md).
Sanitization: There is no evidence of input validation or sanitization for the external text before it is processed by the LLM.
[DATA_EXFILTRATION]: While the skill manages multiple account profiles and browser sessions, it does not attempt to exfiltrate sensitive system information, credentials, or environment variables. It incorporates safety measures by requiring manual user confirmation for logins and high-risk operations.
[REMOTE_CODE_EXECUTION]: The skill does not download external scripts, install unverified packages, or use dynamic code execution functions like eval() or exec().
[SAFE]: The skill includes several safety-positive features, such as "human-in-the-loop" requirements for publishing, strict persona constraints to prevent "persona drift," and clear checklists for compliance and forbidden topics.

xhs-ops-methods