The Agent Skills Directory

[COMMAND_EXECUTION]: The skill's workflow instructions (e.g., in references/小红书图文.md and references/微博.md) direct the agent to execute bash commands that use string interpolation for user-provided data. For example, commands like agent-browser fill @e1 "{标题}" and agent-browser fill ".ProseMirror" "{正文内容}" are highly vulnerable to shell injection. An attacker could provide a title or content string containing shell metacharacters (like ;, $(...), or `) to execute unauthorized commands on the host machine.
[DATA_EXFILTRATION]: The skill instructs the user to open their primary browser with the --remote-debugging-port=9222 argument. This configuration allows the agent to attach to the user's active browser session. If the user is logged into sensitive accounts (e.g., email, banking, or cloud services), the agent has full programmatic access to those sessions, presenting a significant risk of private data exposure.
[COMMAND_EXECUTION]: In the file references/小红书长文.md, the skill uses osascript to manipulate the macOS clipboard and cat to read local files (cat "{文件路径}" | pbcopy). The use of osascript provides a broad attack surface for system manipulation, and the ability to read arbitrary file paths into the clipboard is a dangerous capability that could be abused to exfiltrate sensitive files like SSH keys or environment configurations.
[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface. It ingests untrusted data (user-provided articles, titles, and images) and processes them using powerful system tools (Bash, Playwright) without visible sanitization or boundary markers. This allows malicious external content to influence the agent's behavior and potentially trigger the command execution vulnerabilities mentioned above.

social-push