The Agent Skills Directory

[REMOTE_CODE_EXECUTION] (HIGH): The skill relies on npx -y mankey to perform its functions. This pattern downloads and executes code from the public npm registry at runtime without version pinning or source verification. As 'mankey' is not a trusted source, this poses a risk of supply chain attack or execution of malicious code.
[PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8). It reads content from Anki notes and cards (untrusted data) through tools like notesInfo and cardsInfo (SKILL.md). These data points are then processed by the agent. Because the skill has a high 'Capability Inventory' (including file writes via exportPackage, media manipulation via storeMediaFile, and data modification via updateNote or sync), an attacker could embed instructions in a flashcard to hijack the agent's behavior.
Ingestion points: notesInfo, cardsInfo, retrieveMediaFile, findNotes, findCards.
Boundary markers: Absent. There are no instructions to the agent to treat card content as data rather than instructions.
Capability inventory: storeMediaFile (write local files), exportPackage (write files to path), importPackage (read/execute from path), sync (network operation), updateNote, deleteDecks, guiExitAnki.
Sanitization: Absent. Data is retrieved and passed to the agent context raw.
[COMMAND_EXECUTION] (HIGH): The skill provides numerous tools that interact directly with the host filesystem and the Anki application. Tools like storeMediaFile, importPackage, and exportPackage accept arbitrary file paths, which could be abused to read sensitive files or write malicious data to the system if the agent is manipulated.
[EXTERNAL_DOWNLOADS] (MEDIUM): The storeMediaFile tool supports a url parameter, allowing the agent to download arbitrary content from the internet to the local Anki media directory.

mankey-cli