The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): The render_gif_file tool in src/iblipper/server.py takes a user-controlled output_filename and uses os.path.abspath() to resolve the path before passing it to Playwright's download.save_as(). This allows an agent (potentially under the influence of a malicious prompt) to overwrite sensitive files such as ~/.bashrc, ~/.ssh/config, or other configuration files with binary GIF data, leading to denial of service or configuration corruption.
[EXTERNAL_DOWNLOADS] (LOW): The skill depends on the playwright package, which downloads and executes browser binaries (Chromium) at runtime. It also connects to an external, non-whitelisted domain (https://andyed.github.io/iblipper2025/) to perform the typography rendering.
[INDIRECT_PROMPT_INJECTION] (HIGH): The skill exhibits a significant attack surface by ingesting untrusted data (message) and processing it within a headless browser (Playwright).
Ingestion points: The message parameter in generate_url and render_gif_file tools.
Boundary markers: None identified; untrusted data is directly interpolated into the URL fragment.
Capability inventory: File system write access via render_gif_file and network access via Playwright.
Sanitization: While urllib.parse.quote_plus is used, it only prevents URL structure breakage and does not mitigate malicious content rendered by the browser or the arbitrary file write vulnerability.

iblipper