The Agent Skills Directory

EXTERNAL_DOWNLOADS (HIGH): The SKILL.md documentation recommends installing the uv tool using curl | sh on Linux/macOS and irm | iex on Windows. This 'piped remote execution' pattern is highly dangerous as it executes unverified code directly from an external domain (astral.sh) which is not in the trusted source list.
COMMAND_EXECUTION (MEDIUM): In scripts/generate_image.py, the --filename argument is used directly to define the output path for write_bytes. The script also performs mkdir(parents=True, exist_ok=True) on the parent directory. Without path sanitization, an attacker or a hijacked prompt could specify paths like ~/.bashrc or ~/.ssh/authorized_keys to overwrite sensitive files.
DATA_EXFILTRATION (LOW): The script reads local image files provided via --input-image and transmits their base64-encoded content to https://openrouter.ai/api/v1. While this is the intended functionality, it involves sending potentially sensitive local data to a third-party API.
PROMPT_INJECTION (LOW): The skill is susceptible to indirect prompt injection via the image ingestion surface.
Ingestion points: Local image files provided via the --input-image argument in scripts/generate_image.py.
Boundary markers: Absent; images are encoded and sent to the LLM without delimiters or instructions to ignore embedded content.
Capability inventory: The script possesses file-read (input), file-write (output to arbitrary paths), and network access (OpenRouter API).
Sanitization: None; the script does not validate image metadata or content for adversarial instructions before processing.

nano-banana-pro-openrouter