The Agent Skills Directory

[PROMPT_INJECTION] (HIGH): Vulnerable to Indirect Prompt Injection (Category 8). The skill extracts text from images which are often sourced from untrusted external environments.
Ingestion points: scripts/ocr_skill.py reads image files from disk via the images argument.
Boundary markers: Absent. The script does not wrap the model output in delimiters or provide the agent with instructions to ignore embedded commands within the OCR results.
Capability inventory: The skill has the capability to perform network requests (to the SiliconFlow API), read local files, and write output to the filesystem via the --output flag.
Sanitization: None. The recognized text is returned directly to the agent's context, which could lead to the agent following malicious instructions embedded in an image.
[DATA_EXFILTRATION] (HIGH): The skill reads local file content, converts it to Base64, and transmits it to an external, non-whitelisted API endpoint (api.siliconflow.cn).
Evidence: In scripts/ocr_skill.py, the image_to_base64 function reads any file path provided, and ocr_image sends this data to the SiliconFlow API.
Risk: Because the skill accepts arbitrary file paths and glob patterns without validation that the files are actually images, an attacker could trick an agent into 'OCR-ing' sensitive files (e.g., .env, SSH keys), effectively exfiltrating their contents to the third-party API provider.
[EXTERNAL_DOWNLOADS] (LOW): The skill depends on the openai Python package as specified in metadata.json and scripts/ocr_skill.py. This is a standard dependency but requires external installation.

silicon-paddle-ocr