The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill instructs the agent to dynamically generate a Python script using the reportlab and PIL libraries and execute it to create a PDF. This pattern of generating and running code at runtime is a significant security risk, as the logic of the generated script could be manipulated by the input data.
[COMMAND_EXECUTION]: The skill executes several shell commands, including sips for image conversion, pip install for package management, and brew install for system dependencies. These operations expand the attack surface of the agent environment.
[PROMPT_INJECTION]: The instructions explicitly command the agent to perform all steps "AUTOMATICALLY... WITHOUT asking for confirmation." This autonomy reduces user oversight and could allow malicious operations to proceed unnoticed if the agent is compromised via indirect injection.
[DATA_EXFILTRATION]: The skill is designed to process highly sensitive personal information, including bank certificates, ID cards, and passports. While no outbound network exfiltration was detected, the access to and processing of these files constitutes a high-risk data exposure surface.
[PROMPT_INJECTION]: As the skill performs OCR on external images provided by the user, it is vulnerable to indirect prompt injection. Malicious text embedded within an image could influence the agent's behavior during the translation or script generation phase, potentially leading to arbitrary command execution.
Ingestion points: Image files (PNG, JPG, HEIC) processed via OCR methods in SKILL.md.
Boundary markers: None identified; the skill does not use delimiters or instructions to ignore embedded content within the extracted text.
Capability inventory: Shell command execution via sips, package installation via pip and brew, and dynamic Python script generation/execution in SKILL.md.
Sanitization: No evidence of sanitization or validation of the OCR-extracted text before it is used in the translation or PDF generation logic.

visa-doc-translate