The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands by interpolating user-provided inputs, such as the YOUTUBE_URL and generated titles, directly into command-line arguments for local Python scripts. This creates a surface for command injection if the inputs contain shell metacharacters like semicolons, backticks, or pipes, potentially allowing for arbitrary code execution on the local system.
[PROMPT_INJECTION]: The workflow processes YouTube transcripts, which are untrusted external data. These transcripts are passed to subsequent processing steps (Step 3 and Step 5) without explicit boundary markers or sanitization, creating a risk of indirect prompt injection where malicious instructions embedded in the transcript could manipulate the agent's behavior during summary generation or Wiki upload.
Ingestion points: YouTube transcript data retrieved from external URLs via Step 1.
Boundary markers: Absent; the content is processed directly by the content-digest logic without delimiters or "ignore" instructions.
Capability inventory: Writing to the local file system (Obsidian directory), interacting with the Feishu Wiki API, and performing browser-based operations for image generation.
Sanitization: No evidence of transcript sanitization or instruction filtering is performed before the data is used in downstream prompts.
[CREDENTIALS_UNSAFE]: The skill contains a hardcoded parent token (TOSJwKzxTiFdiRk0aducHNBFntg) used to specify the destination node in the Feishu Wiki. While this is an identifier, hardcoding infrastructure IDs or internal tokens in instruction files is a poor security practice that can expose internal workspace structures.

podcast-workflow