The Agent Skills Directory

[PROMPT_INJECTION]: The README.md contains a 'One-click installation' section with an instruction block designed to override the agent's standard behavior. It directs the agent to download and install software from an external GitHub repository, modify its own configurations, and perform validation steps without manual user intervention.
[EXTERNAL_DOWNLOADS]: The skill documentation refers to and requires dependencies from unverified third-party sources, specifically the hangwin/mcp-chrome GitHub repository and the mcp-chrome-bridge and mcp-chrome-stdio packages.
[REMOTE_CODE_EXECUTION]: The recommended setup uses npx -y to download and execute packages from the NPM registry at runtime. This allows for the execution of remote code that is not pinned to a specific version or verified for safety.
[COMMAND_EXECUTION]: The skill relies on the chrome_javascript tool to execute arbitrary JavaScript within the user's active browser session on v.flomoapp.com. It explicitly uses this capability to access internal application objects, such as .__vue__ instances and ProseMirror editor commands, which can bypass standard UI constraints.
[INDIRECT_PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection by reading and processing user-generated memos from the flomo web interface.
Ingestion points: references/workflows.md describes reading visible memo content and snippets via chrome_get_web_content and chrome_read_page.
Boundary markers: No explicit delimiters or instructions to ignore embedded commands are used when the agent processes retrieved memo text.
Capability inventory: The skill utilizes chrome_javascript, chrome_click_element, and chrome_fill_or_select, providing a powerful execution environment for any instructions parsed from the data.
Sanitization: There is no evidence of sanitization or filtering of the content retrieved from the web page before it is processed by the agent.

flomo-web-crud