The Agent Skills Directory

[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface (Category 8). It ingests untrusted data from external URLs and user-provided text, which is then interpolated into HTML templates and rendered in a browser environment using Playwright.
Ingestion points: Untrusted URLs (via scraping), pasted text, and local article files (specified in SKILL.md).
Boundary markers: The instructions do not specify any boundary markers or 'ignore' warnings for the data being processed, meaning instructions embedded in the source content could potentially influence the agent's behavior during content extraction or rendering.
Capability inventory: The skill utilizes a Node.js script (capture.js) that spawns a Playwright browser instance to render generated HTML.
Sanitization: No explicit sanitization or escaping of the input content is implemented before it is injected into the {{CONTENT_HTML}} or {{BODY_HTML}} template placeholders.
[DATA_EXFILTRATION]: The skill's shared execution protocol explicitly includes the capability to 'Read local file content' (读取本地文件内容). While intended for processing Markdown or article files into images, this capability creates an exposure risk for sensitive files (e.g., credentials, keys) if the agent is manipulated into 'casting' them into cards.
[COMMAND_EXECUTION]: The skill involves executing shell commands to install dependencies (npm install) and to run the capture script (node capture.js). These commands are part of the primary purpose of the skill and utilize the well-known Playwright library, but they represent a functional executable surface.

card