The Agent Skills Directory

[COMMAND_EXECUTION]: The bash logic provided in the skill instructions uses the $SLUG variable, which originates from user input, directly in shell commands (e.g., gbrain get "$SLUG"). This creates a vulnerability to command injection if the input is not sanitized.\n- [COMMAND_EXECUTION]: The instructions mandate the use of the CONTAINER=1 environment variable to skip the Chromium sandbox during the PDF generation process. Disabling the browser sandbox significantly increases the risk of successful exploitation if the processed Markdown contains malicious code.\n- [DATA_EXFILTRATION]: The file path resolution logic ($BRAIN_DIR/$SLUG.md) is susceptible to path traversal attacks. An attacker could manipulate the slug to access sensitive files outside of the intended brain repository directory.\n- [COMMAND_EXECUTION]: The skill executes a binary from a non-standard, hidden location ($HOME/.claude/skills/gstack/make-pdf/dist/pdf) which is an unverified external dependency.\n- [DATA_EXFILTRATION]: The skill processes external Markdown data from the 'brain' repository via gbrain get or direct file reads without sufficient sanitization beyond stripping YAML frontmatter. This creates an attack surface for indirect prompt injection where malicious content in a brain page could exploit the rendering engine, especially with the sandbox disabled.\n
Ingestion points: Reads markdown content via gbrain get <slug> or from $BRAIN_DIR/$SLUG.md (SKILL.md).\n
Boundary markers: Strips YAML frontmatter using sed, but lacks delimiters or safety warnings for the main content (SKILL.md).\n
Capability inventory: Executes gbrain CLI, sed, and a Playwright-based PDF rendering binary (SKILL.md).\n
Sanitization: Mentions emoji sanitization but provides no implementation logic (SKILL.md).

brain-pdf