The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses subprocess.run and shell scripts (trigger_site_rebuild.sh) to execute Git commands such as clone, pull, commit, and push. These operations are restricted to the local filesystem and the target repositories defined in the configuration.
[EXTERNAL_DOWNLOADS]: The documentation instructs the user to manually clone an external repository (QuarkPanTool) to provide core automation capabilities for interacting with Quark Drive.
[DATA_EXFILTRATION]: Metadata regarding shared resources (titles and generated URLs) is transmitted to external endpoints via the Telegram Bot API and GitHub API. This behavior is documented and necessary for the skill's stated purpose of resource publishing and notification.
[CREDENTIALS_UNSAFE]: The skill manages authentication secrets including GITHUB_TOKEN, TELEGRAM_BOT_TOKEN, and browser cookies. It provides logic in mswnlz_publish.py and quark_batch_run.py to load these from a local environment file (secrets.env) to avoid hardcoding credentials in the source code.
[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface (Category 8) as user-provided resource titles are interpolated into Markdown files and Git commit messages. However, the risk is low as these are treated as data for static file generation.

quark-mswnlz-publisher