The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its chat monitoring features.
Ingestion points: In references/monitor-chat.md, the skill reads chat content using browser action=snapshot to extract DOM text and browser action=screenshot for analysis by an image tool.
Boundary markers: The instructions lack boundary markers or explicit guidance for the agent to treat ingested chat text as untrusted data, increasing the risk of the agent obeying instructions embedded in messages.
Capability inventory: The skill possesses significant capabilities, including sending messages (references/send-message.md), @mentioning users, creating documents (references/create-doc.md), and modifying document permissions (references/doc-permissions.md).
Sanitization: No sanitization or validation logic is present to filter or escape the content of ingested messages before they are processed by the agent's logic.
[COMMAND_EXECUTION]: The skill relies extensively on browser action=act with the evaluate method to execute JavaScript snippets within the browser's context. While these scripts are used for UI automation (e.g., clicking buttons, inserting text via execCommand), they represent a mechanism for executing code within an authenticated web session.

feishu-browser