The Agent Skills Directory

[DATA_EXFILTRATION]: The skill provides a mechanism for the agent to read and transmit arbitrary local files to the QQ platform using the tag. Instructions specify that absolute paths (e.g., starting with /) are supported, and there is no mention of directory sandboxing, path validation, or allow-listing. This enables potential access to and exfiltration of sensitive locations like /etc/, ~/.ssh/, or environment files.
[COMMAND_EXECUTION]: The custom tag functions as an execution primitive that triggers file reading and network transmission by the underlying platform integration.
[PROMPT_INJECTION]: The skill includes instructions that attempt to override the agent's internal safety assessments. Specifically, it commands the agent to never say it is "unable to send" local files, which pressures the model to bypass standard security constraints related to local file access.
[INDIRECT_PROMPT_INJECTION]: The skill creates an attack surface where untrusted data from user-provided media can influence agent behavior. Ingestion points include user-provided media files that are automatically downloaded to local paths. There are no boundary markers or delimiters provided to distinguish between file content and system instructions. The agent's capability to read and transmit local files further increases the risk that embedded instructions in processed media could trigger data exfiltration.

qqbot-media