The Agent Skills Directory

[COMMAND_EXECUTION]: The file prompts/knowledge_router.md defines several shell command templates for the agent to execute, such as grep "{keyword}" and cat knowledge/lyrics/{id}_{歌名}.txt. These templates use string interpolation for variables like {keyword} and {歌名} without any sanitization or escaping, which allows for shell command injection if those variables are populated with malicious shell metacharacters. Additionally, tools/weibo_fetcher.py executes the external tool weibo-cli via subprocess.run with user-supplied arguments.
[PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection due to its data processing design.
- Ingestion points: Data is fetched from untrusted external sources (Bilibili comments and Weibo posts) and stored in knowledge/comments.json and knowledge/weibo_posts_full.json.
- Boundary markers: No delimiters or safety instructions are used in prompt templates (e.g., prompts/persona_builder.md) to isolate untrusted data from the agent's instructions.
- Capability inventory: The agent is granted shell execution capabilities through the instructions in the knowledge router.
- Sanitization: No validation or filtering is performed on the fetched content before it is processed by the AI or used in shell commands.
[EXTERNAL_DOWNLOADS]: The documentation and tools/weibo_fetcher.py require the installation of the third-party package weibo-cli via pip from a public registry, which introduces an external dependency risk.
[DATA_EXFILTRATION]: The combination of shell command execution capabilities and the processing of untrusted, externally-sourced data creates a risk that an attacker could exfiltrate sensitive information, such as environment variables or local configuration files, by manipulating the commands the agent is instructed to run.

create-star-skill