khazix-skills/khazix-writer
数字生命卡兹克(Khazix)的公众号长文写作skill。当用户需要撰写公众号文章、写稿子、续写文章、根据素材产出长文时使用。触发词包括但不限于:写文章、写稿子、帮我写、续写、扩写、公众号文章、长文、出稿、按我的风格写。即使用户只是说"帮我把这个写成文章"或"用我的风格写一下",只要上下文涉及内容创作和公众号输出,都应该触发。也适用于用户丢过来一个PDF、brief、新闻链接、语音转文字或任何素材说"帮我写篇文章"的场景。不要用于短内容(小红书帖子、推特、朋友圈)或纯标题摘要生成(那个用wechat-title skill)。
85
85%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Security
1 medium severity finding. This skill can be installed but you should review these findings before use.
W011: Third-party content exposure detected (indirect prompt injection risk)
What this means
The skill exposes the agent to untrusted, user-generated content from public third-party sources, creating a risk of indirect prompt injection. This includes browsing arbitrary URLs, reading social media posts or forum comments, and analyzing content from unknown websites.
Why it was flagged
Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md and its references (references/content_methodology.md) explicitly require ingesting user-provided materials such as "新闻链接" or PDFs and instruct sourcing from public social platforms (Twitter, Reddit, 小红书, 微博/抖音/B站), i.e., untrusted third‑party/user‑generated content that the agent is expected to read and that can materially influence writing decisions and actions.
- Audited
- Security analysis