The Agent Skills Directory

[COMMAND_EXECUTION]: The skill builds and executes shell commands using node to trigger scripts from auxiliary skills. These commands incorporate multiple user-controlled parameters, such as slug, illustration_image_base_url, illustration_image_model, and illustration_image_provider. Without strict validation or escaping of these inputs, the skill is vulnerable to command injection attacks.
[DATA_EXFILTRATION]: The input wechat_profile_dir prompts users to provide the file path to their Chrome browser profile. Accessing a browser profile is a significant security risk as these directories store sensitive information, including session cookies, saved passwords, and browsing history.
[REMOTE_CODE_EXECUTION]: The workflow relies on executing external scripts (e.g., illustrate-article.ts, convert.js, wechat_draft.js) from other skill directories installed on the system. The use of dynamic path construction (<skill-path>/scripts/...) combined with shell execution presents a risk if the environment or dependency paths are manipulated.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it fetches untrusted content from the web via WebSearch and webfetch to build its 'evidence pool'. This content is then processed by the LLM and used to generate articles.
Ingestion points: Untrusted data enters the context during the 'Material Collection' phase (Step 1) in SKILL.md via web searches and URL scraping.
Boundary markers: None identified. There are no instructions to the agent to treat external content as untrusted or to wrap it in delimiters.
Capability inventory: The skill has high-privilege capabilities including shell execution (Steps 6, 7, 8), file system writes (Phase 0, 5), and network access.
Sanitization: No evidence of sanitization, filtering, or validation of the fetched web content was found in the scripts or instructions.

wechat-writing