The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The script scripts/generate_image.py programmatically accesses the sensitive file path ~/.alibabacloud/credentials to extract API keys. It also attempts to load environment variables from .env files located in the repository root, which are common locations for stored secrets.
[DATA_EXFILTRATION]: The download_image function in scripts/generate_image.py utilizes urllib.request.urlopen on URLs provided by the AI model without scheme validation. Since this library supports the file:// protocol by default, an attacker could potentially trick the agent into reading sensitive system files and saving them to the output directory.
[COMMAND_EXECUTION]: Documentation in SKILL.md suggests a workflow using curl to download a file from an AI-generated URL followed by the open command. This sequence allows untrusted content to be opened or executed on the local system without prior validation, which is a significant risk if the model's output is manipulated.
[EXTERNAL_DOWNLOADS]: Fetches the official DashScope SDK from Alibaba Cloud's registry and downloads generated image data from remote services at runtime.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted user input which directly influences the URLs used in subsequent network and system operations. * Ingestion points: User-provided prompt and reference_image parameters. * Boundary markers: None present; the skill lacks delimiters or instructions to ignore instructions embedded in the user data. * Capability inventory: The skill possesses the ability to make network requests, write to the local file system, and execute shell commands. * Sanitization: There is no evidence of URL validation or protocol filtering for the data returned by the API before it is processed.

alicloud-ai-image-qwen-image