The Agent Skills Directory

[PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection due to its core function of processing untrusted external content.
Ingestion Points: The skill accepts arbitrary text via direct user input ("粘贴完整Prompt") and external files (extracted_results/extracted_modules.json).
Boundary Markers: Absent. There are no delimiters or specific instructions for the agent to isolate the input data from its operational logic.
Capability Inventory: The skill workflow includes writing to a persistent SQLite database (elements.db) and generating a JSON library. This allows an attacker to inject data that poisons the agent's long-term memory or influences downstream decisions.
Sanitization: Absent. The "visual_reference" feature (Step 5.2 in SKILL.md) is specifically designed to save "complete raw content," which ensures any malicious instructions or hidden payloads are preserved verbatim in the database.
[COMMAND_EXECUTION] (MEDIUM): The skill describes a complex workflow involving database updates and file generation. It references an external, unprovided module (modules/library_updater.md) to handle these operations, which represents an unverifiable security boundary regarding how the SQLite database and JSON files are handled.

universal-learner