The Agent Skills Directory

Prompt Injection (MEDIUM): The SKILL.md file mandates a voice notification command (curl -s -X POST http://localhost:8888/notify) to be executed immediately upon invocation. This override instruction forces a side effect and establishes a predictable behavior that could be exploited if the local endpoint is malicious or misused.\n- Indirect Prompt Injection (MEDIUM): Several components ingest untrusted external data that can control composition properties.\n
Ingestion points: Ref-calculate-metadata.md (props.dataUrl), Ref-import-srt-captions.md (external .srt files via fetch), and Ref-lottie.md (external Lottie JSON).\n
Boundary markers: Absent. External content is not delimited or labeled as untrusted.\n
Capability inventory: The skill possesses command execution capabilities via Tools/Render.ts, which uses the Bun shell to run the Remotion CLI.\n
Sanitization: None detected. Data from external URLs is parsed directly and used as component props.\n- Unverifiable Dependencies & Remote Code Execution (LOW): The documentation suggests installing various @remotion/* and @remotion/three packages at runtime using npx remotion add. While these are standard for the tool, they involve unverified external downloads during execution.\n- Data Exposure & Exfiltration (LOW): The skill is instructed to read local Art preferences from ~/.claude/skills/PAI/USER/SKILLCUSTOMIZATIONS/Art/PREFERENCES.md. While this is within the expected directory structure for these skills, it demonstrates cross-skill data access.

Remotion