The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill facilitates downloading files from external sources. Scripts such as doc_preview_pdf.py and doc_preview_process.py generate pre-signed URLs to fetch converted document data from the Volcengine TOS service.
[EXTERNAL_DOWNLOADS]: The doc_preview_html_url.py script includes a --direct-url feature, allowing the agent to perform GET requests on arbitrary URLs provided as input to parse preview tokens.
[EXTERNAL_DOWNLOADS]: The skill processes data from external endpoints (TOS objects or user-provided URLs) which constitutes an indirect injection surface.
Ingestion points: Content is retrieved via urllib.request.urlopen in all conversion and preview scripts.
Boundary markers: None identified.
Capability inventory: The skill has the capability to perform network requests (urlopen) and write data to the local filesystem (open(..., 'wb')).
Sanitization: A MAX_OBJECT_SIZE safeguard is used to validate file sizes before completing local writes, mitigating potential disk exhaustion.
[SAFE]: Authentication credentials (TOS_ACCESS_KEY and TOS_SECRET_KEY) are managed through environment variables rather than being hardcoded, following security best practices.
[SAFE]: The base64 decoding implemented in doc_preview_html_url.py is used solely to parse legitimate API tokens for document previewing and does not serve as a malicious obfuscation layer.

byted-tos-doc-process