The Agent Skills Directory

[PROMPT_INJECTION] (HIGH): The skill is vulnerable to Indirect Prompt Injection (Category 8) because it ingests untrusted multimodal data and has write/execute capabilities.
Ingestion points: The skill accepts user-provided screenshots via the $ARGUMENTS variable in SKILL.md.
Boundary markers: There are no boundary markers or instructions to ignore embedded text within the screenshot analysis workflow.
Capability inventory: The skill can create directories, write markdown files (plan.md, phase-XX-phase-name.md), generate HTML/CSS/JS code, and modify existing documentation (./docs/design-guidelines.md).
Sanitization: There is no sanitization of the text extracted from the screenshot before it is passed to the planning and implementation subagents.
[COMMAND_EXECUTION] (MEDIUM): The workflow (Step 4) generates and implements code in pure HTML/CSS/JS based on plans derived from untrusted input. An attacker could use a screenshot to influence the generated code to include malicious scripts (e.g., cross-site scripting or local file access if viewed in a vulnerable environment).
[EXTERNAL_DOWNLOADS] (MEDIUM): The skill lists ui-ux-pro-max and frontend-design as required skills that must be 'activated'. These are unverifiable dependencies that are not provided in the source and do not originate from a documented trusted source.

design-screenshot