The Agent Skills Directory

[COMMAND_EXECUTION]: The skill interacts with system binaries (ffmpeg, ffprobe, and magick) using the Python subprocess module. All script implementations, including scripts/video_optimize.py, scripts/batch_resize.py, and scripts/media_convert.py, correctly avoid the use of shell=True and pass arguments as lists. This approach effectively mitigates potential shell injection vulnerabilities arising from malicious media filenames or parameters.
[EXTERNAL_DOWNLOADS]: Documentation within SKILL.md provides instructional references to official download pages for media tools. These links target established and well-known domains such as ffmpeg.org and imagemagick.org, or recommend standard package managers like brew and apt for binary installation.
[PROMPT_INJECTION]: The skill possesses a vulnerability surface for indirect prompt injection because it reads and processes data from external media files.
Ingestion points: Untrusted data enters the context through media file parsing in scripts/video_optimize.py (via ffprobe) and scripts/batch_resize.py (via magick).
Boundary markers: The skill lacks specific delimiters or 'ignore' warnings for the data extracted from these files.
Capability inventory: The skill maintains the capability to execute system binaries and write to the filesystem via subprocess.run calls located in all primary script files.
Sanitization: While technical sanitization against shell injection is present through the use of argument lists, semantic sanitization of the processed metadata is not implemented.

media-processing