The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill's core purpose involves ingesting and processing content from MicroSim directories (HTML, Markdown, JS). Because the skill has the capability to execute shell commands and modify source code, it presents a high-risk surface for indirect prompt injection. An attacker could place malicious instructions in index.md or main.html to hijack the agent's logic.
Ingestion points: references/screen-capture.md, references/add-icons.md, and SKILL.md all involve reading from user-provided MicroSim paths.
Boundary markers: None are present; untrusted content is processed directly.
Capability inventory: Execution of ~/.local/bin/bk-capture-screenshot, shell grep commands, and multi-step file editing in add-icons.md.
Sanitization: No evidence of sanitization or validation of the untrusted content before processing or using it in commands.
Data Exposure & Exfiltration (HIGH): The screen-capture.md utility instructs the agent to run a script that uses --disable-web-security and --allow-file-access-from-files flags for Chrome. These flags bypass the Same-Origin Policy (SOP). A malicious HTML file in a MicroSim could use this to read sensitive local files (e.g., SSH keys, credentials) and potentially exfiltrate them during the 5-second rendering window.
Command Execution (MEDIUM): The skill relies on executing local shell commands like grep and a specific binary bk-capture-screenshot. While the paths are somewhat constrained, the lack of input validation on the <microsim-directory-path> parameter creates a risk of argument injection or unexpected file access.
Unverifiable Dependencies (MEDIUM): The skill depends on a locally installed script ~/.local/bin/bk-capture-screenshot. Since the skill does not manage this dependency's integrity or source, it represents an unverified execution vector that must be manually audited on the host system.

microsim-utils