The Agent Skills Directory

[PROMPT_INJECTION] (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8) because it ingests and processes untrusted data from external news websites. An attacker who controls the content of a news article could embed instructions to manipulate the agent's behavior during the summarization or card-generation process.
Ingestion points: The skill crawls external URLs listed in scripts/ralph/prd.json (e.g., ithome.com, 36kr.com, qbitai.com).
Boundary markers: Absent. The templates in templates/README.md do not include delimiters or specific instructions for the agent to ignore potentially malicious content within the news items.
Capability inventory: The agent can execute shell scripts (scripts/ralph/ralph.sh), write to the local file system (dailynews/ directory), and perform web scraping.
Sanitization: Absent. There is no evidence of content filtering or sanitization of the scraped HTML/text before it is passed to the LLM for processing.
[COMMAND_EXECUTION] (SAFE): The script scripts/ralph/ralph.sh uses jq to initialize a JSON state file. While it executes a local command, it does so using a safe parameter-passing mechanism (--arg) and targets a specific template file within the skill's own directory.
[EXTERNAL_DOWNLOADS] (SAFE): The skill targets well-known, legitimate Chinese news domains for information gathering. No suspicious or unverified third-party software packages are being downloaded at runtime, though it recommends the manual installation of jq via Homebrew.

searchnews