The Agent Skills Directory

[CREDENTIALS_UNSAFE] (MEDIUM): The skill programmatically accesses the host's secret store by executing the pass utility (subprocess.run(['pass', 'api/xingjiabiapi'])) to retrieve an API key in the files generate_image.py, generate_video.py, and prompt_optimizer.py. This capability could be used to exfiltrate other local secrets if modified.\n- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill communicates with the non-whitelisted domain xingjiabiapi.com and downloads media files from various external URLs (e.g., s3.ffire.cc) based on API responses. This creates a risk of interacting with untrusted or malicious endpoints.\n- [COMMAND_EXECUTION] (LOW): Local shell commands are used via subprocess.run to orchestrate the internal Python scripts and interact with system tools like pass. While the paths are currently restricted to the skill's own directory, the capability exists.\n- [PROMPT_INJECTION] (LOW): The skill is vulnerable to Indirect Prompt Injection. User-controlled text is interpolated directly into model prompts without sanitization or boundary markers. Evidence chain: 1. Ingestion points: SKILL.md (via {用户描述}) and generate.py (via sys.argv). 2. Boundary markers: Absent. 3. Capability inventory: Network requests (POST/GET), file writing, and subprocess execution. 4. Sanitization: Absent.

multimodal-gen