The Agent Skills Directory

[INDIRECT_PROMPT_INJECTION] (HIGH): The core workflow in SKILL.md and references/design-extraction-overview.md requires processing user-provided screenshots and videos using multimodal models to extract design guidelines. This untrusted data directly influences the generation of implementation code. A malicious image containing hidden instructions (e.g., in metadata or visual patterns) could cause the agent to generate insecure code or deviate from safety protocols.
Ingestion points: SKILL.md (screenshot/image inputs), references/design-extraction-overview.md (screenshots, videos, competitor designs).
Boundary markers: Absent. The instructions do not specify delimiters or warnings to ignore embedded content within the analyzed media.
Capability inventory: Writing implementation code (HTML/CSS/JS), executing shell scripts (scripts/gemini_batch_process.py), and writing documentation files.
Sanitization: Absent. No validation or filtering of the extracted design guidelines is mentioned before implementation.
[COMMAND_EXECUTION] (HIGH): Multiple reference files (e.g., references/ai-multimodal-overview.md, references/technical-workflows.md) describe the execution of shell commands using python scripts/gemini_batch_process.py. These commands interpolate variables like --prompt "[design-driven prompt]" and --output docs/assets/[name]. If these variables are influenced by user input or extracted metadata without strict sanitization, it could lead to arbitrary command execution on the host environment (e.g., via $(whoami) or ; rm -rf /).
[EXTERNAL_DOWNLOADS] (MEDIUM): The skill relies on unprovided external scripts (scripts/gemini_batch_process.py, scripts/media_optimizer.py) and mentions external dependencies like anime.js. The absence of these scripts for review makes the actual behavior of the shell executions unverifiable and potentially dangerous.

frontend-design