The Agent Skills Directory

[COMMAND_EXECUTION] (MEDIUM): The skill executes a Python module via shell command: python3 -m music_analyzer color-palette "<input_path>".
Evidence: The variable <input_path> is derived from user input and interpolated directly into the command string.
Risk: Maliciously crafted filenames containing shell metacharacters (e.g., backticks or dollar-parentheses) could lead to arbitrary command execution.
[EXTERNAL_DOWNLOADS] (MEDIUM): Dependency on an unverified Python package.
Evidence: music_analyzer is not a standard library or a known trusted package.
[PROMPT_INJECTION] (LOW): Potential for indirect injection via processed data.
Evidence (Mandatory Evidence Chain): 1. Ingestion points: Audio files or analysis JSON entering the agent context via <input_path> in SKILL.md. 2. Boundary markers: Absent; there are no delimiters or instructions to ignore embedded content. 3. Capability inventory: Subprocess call (python3) in SKILL.md. 4. Sanitization: Absent; no escaping or filtering of external content is specified.

music-color-palette