The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill possesses a significant attack surface for indirect prompt injection. It is designed to ingest and process untrusted external data, including PDFs, images, and videos (via document_converter.py and gemini_batch_process.py). Because the skill is granted Write and Edit permissions in SKILL.md, a malicious instruction embedded in media (e.g., hidden text in a PDF or OCR-able text in an image) could theoretically trigger the agent to perform unauthorized file modifications. No sanitization or explicit boundary markers for untrusted content were observed in the provided script logic.
Dynamic Execution (MEDIUM): In scripts/check_setup.py, the skill attempts to dynamically load a script from the user's home directory (Path.home() / '.claude' / 'scripts' / 'resolve_env.py') by modifying sys.path. Loading code from computed paths outside the skill's distribution folder is a security risk as it makes the skill dependent on the integrity of the user's home directory environment.
Command Execution (LOW): The skill explicitly requests the Bash tool and provides tips in SKILL.md to pipe data into a gemini command-line utility. While standard for this type of utility, it increases the risk that successful prompt injections could escalate to arbitrary command execution.
Data Exposure (INFO): The scripts/check_setup.py script prints a 'Key preview' of the GEMINI_API_KEY (api_key[:20]...api_key[-4:]). While intended for debugging, this exposes portions of the sensitive credential to logs or terminal output.

ai-multimodal