The Agent Skills Directory

[DATA_EXFILTRATION]: The skill provides instructions for the agent to access the local filesystem via a 'Read' tool. It includes a hardcoded absolute path to a user directory (/Users/ugreen/Documents/obsidian/每日播客/) and explicitly allows reading from 'Any other file path' provided by the user. While intended for processing podcast notes, this capability creates a surface for unauthorized data exposure if a user or an indirect injection provides paths to sensitive system files.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes untrusted data from external files and user-pasted text without sufficient safety controls.
Ingestion points: Source material is retrieved from direct user input or local markdown files as described in 'Step 1: Get Source Material'.
Boundary markers: The skill lacks explicit delimiters (e.g., XML tags or triple quotes) or 'ignore embedded instructions' warnings when interpreting the source content.
Capability inventory: The agent has file system access through the 'Read' tool mentioned in the workflow.
Sanitization: There is no evidence of input validation, filtering, or escaping of the content before it is processed by the script generation logic.

podcast-script-generator