The Agent Skills Directory

[COMMAND_EXECUTION] (SAFE): The skill uses bun run to execute a local generation tool (Tools/Generate.ts) and curl to send POST requests to a local notification server (localhost:8888). These are intended functionalities for generating assets and providing user feedback.
[EXTERNAL_DOWNLOADS] (SAFE): The DiscordBotClient class in Lib/discord-bot.ts uses the fetch API to download generated images from Discord/Midjourney URLs to the local filesystem. This is a core component of the art generation workflow.
[CREDENTIALS_UNSAFE] (SAFE): The skill identifies that API keys are stored in a local environment file (${PAI_DIR}/.env) rather than being hardcoded in the scripts, which aligns with security best practices.
[PROMPT_INJECTION] (SAFE): The skill includes an indirect prompt injection surface by interpolating user requests into command-line arguments for the generation tool. However, this is standard for image generation skills and no malicious bypass patterns were observed.
Ingestion points: User-provided descriptions for illustrations and icons in SKILL.md and Workflows/CreatePAIPackIcon.md.
Boundary markers: Absent; user input is interpolated into strings like --prompt "[PROMPT]".
Capability inventory: Subprocess execution via bun run in SKILL.md and Workflows/CreatePAIPackIcon.md.
Sanitization: None detected in the provided markdown or logic scripts.

Art