The Agent Skills Directory

[DATA_EXFILTRATION]: The scripts/render_activity_image.py script contains a load_image function that supports reading files from the local filesystem via the file:// protocol or direct paths. Because the input to this script (activity-structured-geo.json) is generated by an LLM that extracts data from untrusted external articles, an attacker could craft an article that tricks the model into extracting a path to a sensitive local file. This path would then be read by the image renderer, potentially exposing sensitive information. Additionally, the fetch_recent_feeds.sh script uses curl to fetch from a user-provided MP_API_HOST, which could be exploited to read local files via the file:// protocol if the host variable is manipulated.\n- [PROMPT_INJECTION]: The skill processes untrusted content from public articles to identify activities and extract structured information. It lacks any boundary markers or instructions to the model to ignore or escape instructions embedded within those articles. This makes the skill vulnerable to indirect prompt injection. Ingestion point: raw.json via fetch_recent_feeds.sh. Capability inventory: Network access via curl and urllib.request, and local file access in the rendering script. Boundary markers: Absent. Sanitization: Absent.\n- [CREDENTIALS_UNSAFE]: The SKILL.md file contains a hardcoded hex string (2449ebfdd2b2a1f20d88f797e3627d8fc6) for the WE_COM_WEBHOOK_KEYS environment variable. While presented as an example, this string is not a generic placeholder and represents a realistic credential format.\n- [COMMAND_EXECUTION]: The skill executes bash and Python scripts using absolute paths tied to a specific developer's environment (e.g., /Users/yujian/...). This can lead to execution failures or unexpected side effects if these paths point to different resources on another machine.

activity-push