The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill implements a meta-skill pattern where it dynamically generates and writes new agent skills (SKILL.md files) at runtime using tools/skill_writer.py. These generated skills incorporate content derived from untrusted external sources like chat logs and emails. This 'self-generating' behavior creates a risk where the secondary skills could contain malicious instructions derived from the input data, which are then executed when the new skill is invoked.
[COMMAND_EXECUTION]: The tools/skill_writer.py script includes a deletion feature that uses shutil.rmtree on a directory path constructed from a user-supplied 'slug' argument. There is no validation to ensure the path remains within the designated bosses/ directory, which could allow for directory traversal and unintended file deletion if a malicious path is provided.
[COMMAND_EXECUTION]: Several utility scripts (wechat_parser.py, email_parser.py, feishu_parser.py, generic_chat_parser.py) accept an output file path as a command-line argument. These scripts write data directly to the specified path, which could be used to overwrite sensitive files if the output path is not properly restricted.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through its data ingestion process.
Ingestion points: Data enters the system via parser scripts (e.g., tools/wechat_parser.py) which read external chat logs and emails provided by the user.
Boundary markers: The analysis prompts (e.g., prompts/judgment_analyzer.md) do not use explicit delimiters or instructions to ignore embedded commands within the processed data.
Capability inventory: The skill possesses high-privilege capabilities including filesystem write access and the ability to execute shell commands via Bash.
Sanitization: There is no evidence of sanitization or escaping of the external content before it is interpolated into prompts or written into the generated SKILL.md files.

create-boss