The Agent Skills Directory

[COMMAND_EXECUTION]: The skill's instructions in SKILL.md suggest that the agent should execute Python code using python3 -c while interpolating user-provided arguments like usernames and tweet IDs.
Evidence: SKILL.md examples use python3 -c "from x_helper import lookup; print(lookup('elonmusk'))".
Risk: If the agent follows this pattern and inserts $ARGUMENTS directly into the Python command string without rigorous escaping, a malicious user could provide input that escapes the Python string and executes arbitrary system commands or Python code.
[EXTERNAL_DOWNLOADS]: The skill performs network requests to external third-party services to retrieve data.
Evidence: scripts/x_helper.py connects to api.fxtwitter.com and api.vxtwitter.com.
Context: These are well-known public mirrors for Twitter data used to fulfill the skill's primary purpose.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it retrieves and processes untrusted content from the internet.
Ingestion points: scripts/x_helper.py fetches data from api.fxtwitter.com and api.vxtwitter.com (specifically user descriptions and tweet text).
Boundary markers: Absent. The instructions do not provide delimiters or warnings to the agent about ignoring potential instructions embedded in the retrieved data.
Capability inventory: The agent has the capability to execute shell commands and make network calls via the provided Python script.
Sanitization: Absent. The Python script returns the raw text from the API responses to the agent without filtering or escaping.
Risk: An attacker could place malicious instructions in a Twitter bio or tweet that the agent might inadvertently execute if it processes that data as part of its reasoning loop.

x-helper