The Agent Skills Directory

[DATA_EXFILTRATION]: The skill transmits user-provided text and file contents to the external service https://api.zhconvert.org for conversion. This core functionality is clearly disclosed in both the README and SKILL.md instructions for the agent.
[DATA_EXFILTRATION]: To prevent accidental exposure of credentials, the fanfuaji.py script implements a robust validation layer. It blocks access to files with sensitive basenames (e.g., .env, id_rsa, authorized_keys), sensitive extensions (e.g., .pem, .key, .p12), and files containing security-related keywords like 'secret' or 'token'.
[PROMPT_INJECTION]: The skill instructions proactively mitigate indirect prompt injection risks by requiring the agent to treat all data returned from the conversion API as untrusted text, explicitly forbidding the AI from using the output as executable instructions or chaining it into shell commands.
[COMMAND_EXECUTION]: The Python script contains an optional --no-verify-ssl argument. While not the default behavior, this flag allows the agent to disable certificate validation, which could expose the data transmission to man-in-the-middle attacks if improperly utilized.

fanfuaji