The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The scripts/render_timeline.py script contains a function _resolve_reference_audio that fetches content from arbitrary URLs using requests.get. This functionality allows the skill to download and process files from any remote server provided in the voice-map configuration or as a command argument, which could be exploited for SSRF or to ingest malicious data.
[DATA_EXFILTRATION]: Both scripts/noiz_tts.py and scripts/render_timeline.py send user-provided text and the NOIZ_API_KEY (normalized and passed in the Authorization header) to an external API. The inclusion of a configurable --base-url argument allows these requests to be redirected. If an attacker tricks the agent into overriding this URL, the API key and potentially sensitive audio/text data could be sent to an untrusted server.
[COMMAND_EXECUTION]: The skill executes external binaries, including ffmpeg, ffprobe, and kokoro-tts, via subprocess.run. Although it uses list-based arguments to mitigate shell injection, the complexity of dynamically constructed ffmpeg filters and the use of parameters parsed from untrusted SRT and JSON files create a broad attack surface for command manipulation.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its processing of external data files without robust sanitization.
Ingestion points: Processes SRT subtitle files, JSON voice-maps, and plain text files from the user's workspace.
Boundary markers: No delimiters or safety instructions are used to differentiate processed content from system logic.
Capability inventory: The skill possesses the ability to execute system commands and perform network operations.
Sanitization: Input parsing relies on basic regex and standard JSON loaders, lacking validation to ensure that external data does not contain instructions aimed at manipulating the LLM's tool usage or parameters.

speak