行业研究报告生成 Skill

DeBERTa classifier detected prompt injection (confidence: 1.00)

When truncated_text is empty, the agent is instructed to read the docx attachment and summarize its content. An attacker who controls the API endpoint (or a malicious industry dataset) could embed prompt injection instructions within the DOCX file, which the agent would then process and execute as trusted instructions.

若Step 2中的脚本返回的[truncated_text]部分为空，则读取接口返回的docx附件内容，总结相关报告信息返回

The script's output, including file paths (`pdf_output_path`, `docx_output_path`) and a `share_url`, is directly presented to the user. If the script is compromised (e.g., via command injection), these outputs could be manipulated to exfiltrate data to attacker-controlled locations or direct users to malicious sites.

"pdf_output_path": "...", "docx_output_path": "...", "share_url": "..." (in script output and final template)

The skill writes report files to a directory specified by `INDUSTRY_RESEARCH_REPORT_OUTPUT_DIR`. While configurable, if an attacker can control the script's execution or output paths (e.g., via command injection), they could potentially write files to arbitrary locations, leading to resource abuse or system disruption.

`INDUSTRY_RESEARCH_REPORT_OUTPUT_DIR` environment variable and "脚本会写入本地文件"

The skill constructs a shell command by directly interpolating user-supplied input ({{topic}}) into a python3 invocation without any sanitization or escaping. An attacker can craft a malicious industry query containing shell metacharacters (e.g., semicolons, backticks, $(), etc.) to execute arbitrary commands on the host system.

python3 {baseDir}/scripts/get_data.py --query "{{topic}}"

The script writes PDF and DOCX files to paths returned by the server (pdf_output_path, docx_output_path). These server-controlled paths are reflected directly into the agent's output and potentially used for file operations, enabling path traversal attacks that could overwrite sensitive files on the host filesystem.

"pdf_output_path": "完整报告的pdf文件保存地址", "docx_output_path": "完整报告的docx文件保存地址"

The share_url field returned by the external API is embedded directly into agent output and presented to the user. A compromised or malicious API endpoint could return URLs pointing to internal network resources (SSRF), phishing sites, or URLs containing prompt injection payloads that the agent or user might follow.

"share_url": "完整报告的分享链接" ... **分享链接：** [share_url]

The skill requires EM_API_KEY to be set in the environment and passes it to an external script. If the script or the external API is compromised, the key could be exfiltrated. The metadata declares this as a required environment variable, meaning any agent running this skill automatically exposes the credential to the script execution environment.

"requires": {"env":["EM_API_KEY"]}