The Agent Skills Directory

[COMMAND_EXECUTION] (LOW): The script scripts/process.sh performs file deletion (rm -f) on paths extracted directly from Markdown content. Because the script does not validate if the resolved paths are within a restricted workspace or a safe directory, a malicious Markdown file could use absolute paths or path traversal (e.g., ![](/etc/hosts)) to target sensitive system or user files for deletion.- [DATA_EXFILTRATION] (LOW): The skill is designed to read local file data and transmit it to a network endpoint via curl. While the default is a local server (127.0.0.1), the endpoint is configurable via the PICLIST_SERVER environment variable. If an attacker controls this variable, they could exfiltrate any file referenced in a processed Markdown document to an external server.- [INDIRECT_PROMPT_INJECTION] (LOW): The skill is vulnerable to malicious instructions within the data it processes. Ingestion points: scripts/process.sh reads Markdown files provided as arguments. Boundary markers: None; the script parses and acts upon any string matching the Markdown image pattern. Capability inventory: Network transmission (curl), file deletion (rm -f), and file reading (cat). Sanitization: Minimal; the script resolves paths without verifying if they reside within an allowed directory.

piclist-upload