The Agent Skills Directory

[PROMPT_INJECTION]: The skill instructs the agent to operate with extreme autonomy, explicitly directing it to skip user confirmation and feedback at every step ("全程不等待用户确认", "不询问用户", "不等待反馈"). This suppresses human oversight for a multi-step process that includes executing code and publishing to a public account. Additionally, it provides instructions to bypass content moderation filters by rephrasing prompts if they are blocked by AI safety policies.
[INDIRECT_PROMPT_INJECTION]: The skill has a high-exposure surface for indirect prompt injection as it fetches content from external sources like Hacker News and arbitrary URLs.
Ingestion points: External tech news sources (Hacker News, GitHub Trending) and arbitrary web pages scraped via baoyu-url-to-markdown (Step 1.1).
Boundary markers: No boundary markers or specific instructions to ignore embedded commands are present in the prompt templates.
Capability inventory: The skill possesses the ability to execute shell commands, write files, and interact with the WeChat API to publish content.
Sanitization: There is no evidence of sanitization or validation of the fetched content before it is processed and used to generate the final published article.
[COMMAND_EXECUTION]: The pipeline executes multiple shell commands using npx and bun. It interpolates external data, such as URLs found on the web, directly into command-line arguments (--url "{source_url}" in Step 1.1), which presents a potential command injection risk if the agent does not properly sanitize the input.
[DYNAMIC_EXECUTION]: The skill uses shell redirection (cat > ... << 'EOF') to dynamically create and overwrite multiple configuration files (EXTEND.md) in the user's home directory ($HOME/.baoyu-skills/). It also performs runtime package installation via npm install for the jimp and @jsquash/webp packages.

WeChat Publish Pipeline