The Agent Skills Directory

Indirect Prompt Injection (LOW): The skill converts user-supplied markdown and metadata into a static website, which introduces a potential XSS vulnerability.
Ingestion points: User-provided markdown content (for {{CONTENT}}), site name (for {{BRAND_NAME}}), and document title (for {{TITLE}}) as described in Step 0 and Step 3.
Boundary markers: Absent. The skill does not define specific delimiters to separate user content from the HTML template's structure or include instructions to treat input as plain text.
Capability inventory: The skill uses the Write tool to generate the build/index.html file and the Bash tool to run site_api.py publish, which transmits the generated site.
Sanitization: Absent. There is no instruction to escape or sanitize the markdown content during its conversion to HTML, meaning malicious scripts embedded in the markdown could be executed when the site is viewed.
Command Execution (LOW): The skill uses the Bash tool to run local scripts with parameters derived from user input.
Evidence: Commands like python3 scripts/site_api.py info {brand} {site-name} and cat plugins/docs-factory/skills/brand-{BRAND}/assets/manifest.json rely on user-provided strings.
Context: The risk is mitigated by explicit instructions for the agent to validate these strings against a strict alphanumeric regex (^a-z0-9?$) before execution.

site-factory