The Agent Skills Directory

[COMMAND_EXECUTION]: The Google provider implementation in scripts/providers/google.ts utilizes child_process.execSync to invoke the curl binary. This execution path is triggered whenever an HTTP proxy is detected in the environment (e.g., via https_proxy or ALL_PROXY variables).
[REMOTE_CODE_EXECUTION]: The execSync call in scripts/providers/google.ts is vulnerable to shell command injection. Environment variables such as proxy and url (derived from GOOGLE_BASE_URL) are interpolated directly into a shell command string. While they are wrapped in double quotes, they are not escaped. Since scripts/main.ts loads environment variables from project-local .env files (.beaver-skill/.env), an attacker could supply a malicious repository that executes arbitrary code when the agent attempts to generate an image using the Google provider.
[CREDENTIALS_UNSAFE]: In the postGoogleJsonViaCurl function in scripts/providers/google.ts, the skill writes the Google API key to a temporary file in the system's temp directory to pass it as a header to curl. Although it sets file permissions to 0o600 and attempts to delete the file after use, storing sensitive credentials in plaintext on disk, even temporarily, increases the risk of exposure to other processes on the system.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from multiple sources—including user prompts, files specified via --promptfiles, and standard input—without any sanitization or boundary markers. This data is then interpolated into API requests that have the capability to trigger network operations and subprocess execution.

beaver-image-gen