The Agent Skills Directory

CREDENTIALS_UNSAFE (MEDIUM): The scripts/check_setup.py utility prints the first 20 and last 4 characters (total 24) of the GEMINI_API_KEY to the console during setup. This level of exposure is excessive for a sensitive secret and poses a risk of credential leakage via logs or terminal captures.\n- COMMAND_EXECUTION (MEDIUM): The scripts/check_setup.py script dynamically adds ~/.claude/scripts/ to the Python search path and imports a module named resolve_env. Loading executable code from a non-standard, user-writable directory is a medium-severity dynamic execution risk.\n- PROMPT_INJECTION (LOW): The skill is susceptible to indirect prompt injection (Category 8) because its primary function is processing untrusted multimedia files (PDF, Audio, Video, Image).\n
Ingestion points: Files are ingested through scripts/gemini_batch_process.py and scripts/document_converter.py and passed to the LLM.\n
Boundary markers: The skill lacks explicit delimiters or instructions for the model to ignore embedded commands in the processed media data.\n
Capability inventory: The skill has capabilities for network access (Gemini API), file system operations, and potentially shell command execution as suggested in the quick start tip.\n
Sanitization: No evidence of content sanitization or validation of the media content is performed prior to processing via the LLM.\n- PROMPT_INJECTION (LOW): The recommended usage pattern in SKILL.md pipes arbitrary user-provided strings directly into a CLI tool, which creates a surface for direct prompt injection if not handled securely by the agent.

ai-multimodal