The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill is designed to process untrusted external strings as prompts for music generation, which are then passed to a remote API and used to generate files.
Ingestion points: The prompt and composition_plan parameters in SKILL.md and references/api_reference.md.
Boundary markers: Absent. User input is directly interpolated into API calls.
Capability inventory: Performs network requests to api.elevenlabs.io and writes files to the local filesystem (e.g., output.mp3 and dynamically via result.filename).
Sanitization: The skill logic contains no sanitization; it relies entirely on the remote API's content filters, which does not protect the local agent from malicious instructions within the data flow.
Data Exposure & Exfiltration (MEDIUM): The skill writes files to the local disk using filenames returned by the remote API (result.filename in compose_detailed). If the API or the prompt sequence influences this filename, it could lead to path traversal or overwriting of sensitive local files.
Unverifiable Dependencies (MEDIUM): The skill requires the installation of elevenlabs (Python) and @elevenlabs/elevenlabs-js (Node.js). While these appear to be official packages for the service, they are not from the pre-defined list of trusted sources.
Network Operations (LOW): The skill makes network requests to api.elevenlabs.io. This domain is not on the trusted whitelist, though it is the expected endpoint for the service described.

music