The Agent Skills Directory

[PROMPT_INJECTION]: The skill processes untrusted chat messages from WeChat group histories, which presents a surface for indirect prompt injection attacks where third-party messages could influence the agent's behavior.
Ingestion points: Chat data is ingested through the wx history --json command in SKILL.md (Step 3).
Boundary markers: The instructions for summarizing and generating profiles do not specify the use of robust delimiters or markers to isolate the untrusted message content from the system instructions.
Capability inventory: The agent has the capability to execute shell commands via the wx binary (with dangerouslyDisableSandbox: true) and write files to the local filesystem for digest storage and profile management as defined in SKILL.md (Steps 7, 8, and 8.5).
Sanitization: While the skill excludes noise like emojis or system messages, there is no technical sanitization to prevent the model from interpreting malicious text within messages as instructions.

baoyu-wechat-summary