The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill accepts untrusted data via the $ARGUMENTS variable, which is then processed by the agent to fulfill design tasks. This data is used to populate parameters for shell commands and determines content written to the local filesystem.
Ingestion Point: The $ARGUMENTS variable within the <tasks> tags in SKILL.md.
Boundary Markers: Uses <tasks> XML-style delimiters, but lacks instructions to the agent to disregard instructions embedded within the user data.
Capability Inventory: The skill performs shell execution (running search.py via python3) and file modification (updating ./docs/design-guidelines.md).
Sanitization: No sanitization or validation of the input is performed before it influences downstream actions.
[Command Execution] (MEDIUM): The workflow explicitly directs the agent to execute Python scripts located in the $HOME directory. While these scripts are part of the broader skill ecosystem, executing shell commands based on templates that are filled using untrusted user input (e.g., <product-type>, <style-keywords>) poses a risk of argument injection if the agent does not properly escape the inputs.

design-fast