The Agent Skills Directory

[PROMPT_INJECTION]: The skill processes external data from screenshots provided via the $ARGUMENTS parameter. This creates a surface for both direct and indirect prompt injection attacks.
Direct Injection: The $ARGUMENTS variable is interpolated directly into the <screenshot> tag in SKILL.md without sanitization. A malicious user could provide input that closes the tag and introduces new instructions to override the agent's behavior.
Indirect Injection: The skill uses vision capabilities (ai-multimodal) to analyze images which may contain hidden instructions or malicious text designed to influence the model's output.
Ingestion points: $ARGUMENTS variable used for screenshot paths or data in SKILL.md.
Boundary markers: No specific delimiters or "ignore instructions" warnings are present to protect against text-in-image injections.
Capability inventory: The skill has significant capabilities including file system write access (plan.md, ./docs/design-guidelines.md), task management via TaskCreate, and the ability to invoke subagents (ui-ux-designer).
Sanitization: No explicit sanitization or validation of the input data or OCR results is implemented beyond the base model's safety filters.

design-screenshot