The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/extract.py passes a user-supplied URL directly to the curl command via subprocess.run. Because the URL is not validated or sanitized, an attacker could provide a URL starting with a dash (e.g., --config or -o) to perform argument injection, potentially leading to file overwrite or other unintended side effects during the fetching process.- [PROMPT_INJECTION]: The skill exhibits a significant Indirect Prompt Injection surface. It downloads raw HTML from an external source and directs the AI to 'analyze style traits directly from the HTML' and then 'inject it into markdown-to-wechat.html'. An attacker could place hidden instructions inside a WeChat article that the AI might interpret as instructions, leading to the injection of malicious JavaScript (XSS) or data exfiltration scripts into the local HTML file.
Ingestion points: scripts/extract.py saves remote content to .extracted_content.html which is subsequently read and processed by the AI.
Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present in the AI's prompt instructions.
Capability inventory: The AI has the capability to write/modify local files (markdown-to-wechat.html) and execute the extraction script.
Sanitization: No sanitization or HTML escaping is performed on the extracted js_content before the AI processes it.- [EXTERNAL_DOWNLOADS]: The skill performs network requests to download content from arbitrary URLs provided in the command line. While the documentation specifies WeChat URLs, the implementation does not enforce this restriction at the script level.

wechat-theme-extractor