The Agent Skills Directory

[DATA_EXFILTRATION]: The skill reads sensitive environment variables (API keys) and transmits them to external endpoints via fetch. While the default endpoints are official AI provider APIs, the skill allows overriding these URLs (e.g., CANGHE_BASE_URL, OPENAI_BASE_URL) via environment variables or local .env files. If an attacker can influence these configuration sources, they could redirect API requests and the associated keys to a malicious server.
[DATA_EXFILTRATION]: The skill can read arbitrary local files from the filesystem when provided via the --promptfiles or --ref arguments. The content of these files is either sent as text prompts or base64-encoded images to remote AI services. This behavior could be exploited to exfiltrate local data if an agent is tricked into reading sensitive files.
[COMMAND_EXECUTION]: The documentation instructs the agent to execute the utility using npx -y bun, which involves running the Bun runtime to execute the TypeScript scripts. This is standard for this type of tool but involves external dependency resolution.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its processing of untrusted data.
Ingestion points: The skill reads external data from files via --promptfiles (scripts/main.ts), standard input (scripts/main.ts), and local image files via --ref (scripts/providers/canghe.ts, scripts/providers/google.ts).
Boundary markers: Absent. The skill concatenates file contents or encodes images without using delimiters or instructions to the model to ignore embedded commands.
Capability inventory: The skill possesses the capability to make network requests (fetch in all provider scripts) and write files to the disk (writeFile in scripts/main.ts).
Sanitization: Absent. No validation, filtering, or escaping is performed on the ingested prompt text or image data before it is sent to the AI providers.

canghe-image-gen