The Agent Skills Directory

[PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection by ingesting and displaying data from external local files which could contain malicious instructions.
Ingestion points: The skill reads from ./writing-workspace/materials/index.json and content files located in ./writing-workspace/materials/entries/{id}.json as defined in the '数据路径' and '执行流程' sections of SKILL.md.
Boundary markers: The instructions use markdown headers and blockquotes to delimit content but do not include explicit instructions for the agent to disregard or ignore embedded commands found within the retrieved materials.
Capability inventory: The skill uses standard file system read capabilities to access local workspace data and display it to the user. No high-risk capabilities like subprocess execution or network writes were identified.
Sanitization: No sanitization, escaping, or filtering of the retrieved content is performed; the skill explicitly directs the agent to '保留原文措辞，不做改写' (preserve original wording, do not rewrite).

material-retrieve