The Agent Skills Directory

[PROMPT_INJECTION]: The skill contains an attack surface for indirect prompt injection within its image rendering pipeline. It converts user-provided Markdown into HTML and loads it into a headless browser (Playwright) to generate images.\n
Ingestion points: Markdown content and metadata from user-supplied files processed by rendering scripts in the scripts/ directory.\n
Boundary markers: Absent. External content is interpolated directly into HTML templates (e.g., assets/card.html).\n
Capability inventory: Headless browser control via Playwright and shell command execution capabilities provided by the agent-browser and Bash tools.\n
Sanitization: Absent. The scripts use the marked (Node.js) and markdown (Python) libraries to generate HTML without visible sanitization, which could allow the execution of embedded scripts in the rendering context.\n- [COMMAND_EXECUTION]: The skill extensively uses shell commands and runtime script evaluation to perform its social media automation tasks.\n
Execution patterns: Uses agent-browser eval "js" to execute code in the browser context. It also utilizes osascript to interact with the system clipboard for transferring image data and text.\n
Self-evolution: The SKILL.md file instructs the agent to autonomously modify workflow files in the references/ directory to correct interaction paths when page structures change.\n- [DATA_EXFILTRATION]: The skill reads local files to prepare them for upload, which could be misused to access sensitive data.\n
Evidence: Workflows in references/小红书长文.md and references/知乎想法.md use shell commands like cat "{文件路径}" and read (POSIX file "{图片路径}") via osascript to read files into the system clipboard. The skill does not implement validation for these file paths.

social-push