The Agent Skills Directory

[SAFE]: No malicious patterns or security vulnerabilities were identified. The skill performs its stated function using local scripts and platform-provided utilities.
[COMMAND_EXECUTION]: The skill executes a bundled Python script (contact_to_vcard.py) to handle vCard generation and apple-vision for OCR. These are standard operations for the skill's purpose and occur within the local workspace.
[DATA_EXFILTRATION]: No network activity was detected. The skill reads from and writes to the local workspace and attachment directories without external communication.
[PROMPT_INJECTION]: The skill processes untrusted data from user messages and OCR results, which is an inherent surface for indirect prompt injection. However, the risk is mitigated by the use of a specialized parsing script that applies regex-based validation and proper vCard escaping.
Ingestion points: Reads text from user messages, workspace files, and OCR output from apple-vision.
Boundary markers: The skill does not use explicit delimiters for untrusted input, but instructions define strict field extraction and output formatting.
Capability inventory: Utilizes script execution, file writing, and image processing tools.
Sanitization: The Python script implements specific character escaping and regex filtering for contact fields (phone, email, URLs) to ensure vCard format integrity.

contact-vcard-extractor