The Agent Skills Directory

[PROMPT_INJECTION]: The publish_with_cover.js script contains an indirect prompt injection surface. It builds an image generation prompt using article metadata extracted from user-supplied files without sanitization. * Ingestion points: Title and digest extracted from files specified by --article or --file in publish_with_cover.js. * Boundary markers: Absent; user content is concatenated directly with prompt instructions. * Capability inventory: Execution of external scripts via spawnSync (image-gen.ts) which interfaces with image generation APIs. * Sanitization: Absent; no filtering or escaping of input content.
[EXTERNAL_DOWNLOADS]: The wechat_draft.js script downloads images from URLs extracted from <img> tag src attributes in the input HTML. This behavior enables potential SSRF if the runtime environment has access to internal network resources.
[COMMAND_EXECUTION]: The publish_with_cover.js script executes internal Node.js and Bun scripts using child_process.spawnSync to perform image generation and uploading tasks.
[CREDENTIALS_UNSAFE]: The loadEnv logic in the scripts searches for .env files in parent directories up to three levels above the skill directory, potentially exposing sensitive environment variables from broader project contexts.

wechat-publish