The Agent Skills Directory

[DATA_EXFILTRATION]: The skill instructs the agent to retrieve and transmit files based on absolute paths provided in the response, creating a significant data exposure risk. Since there are no restrictions on which directories can be accessed, an agent could be manipulated via indirect prompt injection to send sensitive system files. \n
Ingestion points: User requests or generated content containing file paths.\n
Boundary markers: None present to distinguish untrusted data from valid file paths.\n
Capability inventory: Unrestricted local file reading and transmission via the MEDIA command.\n
Sanitization: No path validation, allow-listing, or sanitization logic is described or enforced.- [PROMPT_INJECTION]: The instructions use authoritative language and negative constraints to force the agent to bypass its internal safety training regarding file system access. By forbidding the agent from stating it cannot send files, the skill actively attempts to suppress safety refusals. Evidence: "❌ 绝对不要回复'无法发送图片、视频、语音或文件'或类似的措辞！" and "❌ 错误：说'我无法发送本地图片'".- [COMMAND_EXECUTION]: The skill defines a domain-specific language (DSL) command MEDIA: <path> that triggers file system operations. This command provides the agent with a direct interface to read the filesystem based on instructions generated during the conversation.

wecom-send-media