The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill performs automated extraction of authentication cookies (x-account and ch-session-1) from the Channel Talk desktop application's SQLite database and various browser profiles (Chrome, Edge, Brave, Arc, etc.). This behavior is synonymous with credential harvesting.
[CREDENTIALS_UNSAFE]: Extracted JWT session tokens are stored in plaintext within the configuration file at ~/.config/agent-messenger/channel-credentials.json. While the file is set to owner-only permissions (0600), storing long-lived credentials in plaintext is an unsafe practice.
[DATA_EXFILTRATION]: The skill accesses sensitive application data stored in browser user data directories and desktop app containers to retrieve session state, effectively exfiltrating authentication material from the host environment for the skill's own use.
[PROMPT_INJECTION]: The skill enables an agent to ingest untrusted data from an external source (Channel Talk chat history) which acts as a surface for indirect prompt injection.
Ingestion points: Untrusted content enters the agent's context through tools that execute agent-channeltalk message list, chat list, and snapshot --full commands.
Boundary markers: There are no boundary markers or instructions to treat chat content as untrusted data rather than agent instructions.
Capability inventory: The agent has access to the Bash tool which allows execution of CLI commands, creating a pathway for actions triggered by injected content.
Sanitization: No sanitization or filtering is performed on the text content of messages retrieved from the service.
[COMMAND_EXECUTION]: The skill requires the ability to execute shell commands to search for and read SQLite databases across various system paths, including macOS Containers and Windows AppData.

agent-channeltalk