The Agent Skills Directory

[COMMAND_EXECUTION]: The skill is vulnerable to command injection through shell interpolation of environment variables.
Evidence: In scripts/providers/google.ts, the function postGoogleJsonViaCurl constructs a shell command using template literals and executes it via execSync. The variables ${proxyArgs} and "${url}", which are derived directly from environment variables such as GOOGLE_BASE_URL, https_proxy, and HTTPS_PROXY, are not sanitized.
Risk: An attacker can influence these environment variables by providing a malicious .baoyu-skills/.env file in a project directory. For example, setting GOOGLE_BASE_URL to a value like https://example.com" ; touch /tmp/exploit ; # would cause the shell to execute the injected command when the skill is run.
[EXTERNAL_DOWNLOADS]: The skill communicates with well-known technology service providers to perform its primary function of image generation.
Evidence: The skill makes network requests to generativelanguage.googleapis.com (Google), api.openai.com (OpenAI), dashscope.aliyuncs.com (Alibaba Cloud), and api.replicate.com (Replicate).
[PROMPT_INJECTION]: The skill has an indirect prompt injection surface as it processes untrusted input from external files and reference images.
Ingestion points: Prompt data is ingested from files specified via the --promptfiles flag in scripts/main.ts.
Boundary markers: The content of multiple prompt files is concatenated using double newlines without additional delimiters or instructions for the agent to ignore potential instructions within the data.
Capability inventory: The skill possesses bash execution capabilities, network access, and file-write permissions, which could be abused if an injection is successful.
Sanitization: No sanitization or safety-filtering is applied to the content of the external prompt files before they are included in requests to the AI models.

baoyu-image-gen