The Agent Skills Directory

[DATA_EXPOSURE_AND_EXFILTRATION]: The skill accesses and decrypts highly sensitive personal communication data from local WeChat databases, including chat logs, contacts, and "Moments". While the code does not show explicit network exfiltration, it reads files such as ~/.config/wechat-keys.json and database files in ~/Library/Containers/com.tencent.xinWeChat/ which contain private user information.
[COMMAND_EXECUTION]: The script scripts/extract_keys.py executes multiple shell commands via subprocess.run, including codesign to modify security attributes of the WeChat binary, pgrep to identify processes, and pip for dependency management. Modification of application signatures is a high-privilege operation used here to bypass macOS Hardened Runtime protections.
[DYNAMIC_EXECUTION]: The skill uses scripts/extract_keys.py to generate a temporary Python script at runtime and executes it using sys.executable. Additionally, it employs the Frida framework to dynamically inject JavaScript code into a running process to intercept cryptographic keys from memory.
[INDIRECT_PROMPT_INJECTION]: The skill processes untrusted external data (chat messages, social media posts) and interpolates them directly into the agent's context for summarization in Phase 3 of SKILL.md.
Ingestion points: scripts/wechat_daily.py reads raw message content from decrypted SQLite databases.
Boundary markers: Absent. The prompt instructions do not use robust delimiters or instructions to ignore embedded commands within the messages.
Capability inventory: The skill has access to the local file system (read/write), can execute shell commands through Python's subprocess module, and uses Frida for process instrumentation.
Sanitization: The skill performs standard character decoding and ZSTD decompression but does not sanitize the text content for potential malicious instructions before presenting it to the AI.

wechat-daily