The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill explicitly references and checks for the existence of ~/.claude/feishu.json. Accessing files within the ~/.claude/ directory is highly sensitive as it often contains authentication tokens, API keys, or private configurations for the agent environment.
[COMMAND_EXECUTION]: The skill utilizes the Bash(*) tool to perform system-level operations. It specifically instructs the agent to use Bash for file writing (cat << 'EOF' > file) to circumvent standard tool limitations and mentions the capability to manage and terminate system processes ("kill any running pilot").
[PROMPT_INJECTION]: The skill contains instructions that explicitly tell the agent to bypass user confirmation. In the 'Key Rules' section, it states: 'Do NOT ask the user for permission — just do it silently' when performing Bash-based file writes. Additionally, the AUTO_PROCEED = true constant encourages the agent to continue the pipeline without explicit user approval at major checkpoints.
[EXTERNAL_DOWNLOADS]: The skill performs extensive web data ingestion through WebSearch and WebFetch to gather information from external sources like arXiv, Google Scholar, and Semantic Scholar.
[PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8).
Ingestion points: Phase 1 retrieves paper metadata and summaries from external sources (arXiv, Google Scholar) using WebSearch and WebFetch (File: SKILL.md).
Boundary markers: No boundary markers or instructions to ignore embedded commands in the fetched research data are present.
Capability inventory: The skill has access to Bash(*), Write, Edit, and WebSearch, allowing for file system modification and further network requests (File: SKILL.md).
Sanitization: There is no evidence of sanitization or validation of the fetched external content before it is processed by the pipeline.

idea-discovery