The Agent Skills Directory

[INDIRECT_PROMPT_INJECTION]: The skill represents an indirect prompt injection attack surface because it ingests untrusted data from external sources and possesses capabilities to modify the environment.
Ingestion points: Untrusted data enters the agent's context through tools like read_note, read_blocks, read_section, and especially import_web_page, which fetches content from external web URLs.
Boundary markers: The instructions do not define specific delimiters or instructions for the agent to ignore embedded natural language commands within the note content.
Capability inventory: The skill has significant capabilities, including edit_block (write), batch_edit (bulk write/delete), delete_note (permanent removal), and insert_image (network-based content insertion).
Sanitization: There is no explicit sanitization or filtering of the content read from notes or web pages to prevent it from being interpreted as instructions by the LLM.
[EXTERNAL_DOWNLOADS]: The import_web_page tool fetches content from remote URLs. This is mitigated by restricting access to a whitelist of well-known domains (e.g., WeChat, Zhihu, Douban). Additionally, insert_image can fetch images from arbitrary URLs, which is standard functionality for document editing.
[COMMAND_EXECUTION]: The provided wpsnote-cli documentation describes a command-line interface that interacts with the local file system to manage configurations and read argument files (--args-file, content_file). These operations are restricted to the local execution environment of the CLI and are consistent with the tool's purpose.

wps-note