The Agent Skills Directory

[NO_CODE]: The skill references multiple script files in a src/ directory, such as accountMisc.js, qrCodeSharing.js, shareEmbed.js, and uploadContacts.js, but none of these files are included in the skill content.
[DATA_EXFILTRATION]: The documentation describes tools for accessing highly sensitive information, including login history (IP addresses, locations, and active sessions) and connected third-party accounts (Google and Apple). While the descriptions suggest utility purposes, the lack of source code prevents verification of how this data is handled or if it is transmitted to external servers.
[PROMPT_INJECTION]: The skill surface includes data ingestion points such as usernames and tweet URLs, which are processed by functions like viewJoinDate and accountAgeCalculator. This represents a potential surface for indirect prompt injection if the ingested profile data contains malicious instructions, though no specific exploits are present in the documentation.

account-tools