The Agent Skills Directory

REMOTE_CODE_EXECUTION (HIGH): The file scripts/md/utils/languages.ts uses dynamic import() to load and execute JavaScript from an external CDN (cdn-doocs.oss-cn-shenzhen.aliyuncs.com) based on code block languages. This CDN is not in the trusted sources list, posing a risk of arbitrary code execution if the source is compromised.
COMMAND_EXECUTION (HIGH): The script scripts/paste-from-clipboard.ts utilizes spawnSync to execute dynamically generated AppleScript, PowerShell, and shell commands. These scripts are constructed via string templates at runtime, which is a dangerous pattern that can lead to command injection if inputs are manipulated.
DATA_EXFILTRATION (MEDIUM): The markedPlantUML extension in scripts/md/extensions/plantuml.ts sends diagram source code to an external server (https://www.plantuml.com/plantuml) for rendering. This could lead to the exposure of sensitive information if included in user-provided diagrams.
EXTERNAL_DOWNLOADS (MEDIUM): The md-to-wechat.ts script contains a downloadFile function that fetches remote images from arbitrary URLs. This can be abused to perform Server-Side Request Forgery (SSRF) or download malicious assets.
PROMPT_INJECTION (HIGH): As an indirect prompt injection risk (Category 8), the skill ingests untrusted markdown data (article.md) and possesses powerful capabilities including browser automation, network access, and system command execution via spawnSync. There are no significant boundary markers or sanitization logic to prevent embedded instructions in the markdown from hijacking the agent's workflow.

baoyu-post-to-wechat