The Agent Skills Directory

[COMMAND_EXECUTION]: Command injection vulnerability in scripts/speech-to-text.sh and scripts/text-to-speech.sh via the --add-fal-key functionality. The scripts take user-provided input and append it directly to a .env file using echo "FAL_KEY=$KEY_VALUE" >> .env. Because the scripts subsequently load this file using the source command, any shell commands or subshells embedded in the $KEY_VALUE (e.g., $(whoami)) will be executed with the privileges of the agent.
[PROMPT_INJECTION]: Indirect prompt injection surface identified in scripts/text-to-speech.sh and scripts/speech-to-text.sh.
Ingestion points: User-provided arguments --text, --audio-url, and --model are used directly.
Boundary markers: No delimiters or safety instructions are used to isolate untrusted user data.
Capability inventory: The scripts possess network capabilities via curl to transmit data to the fal.ai API.
Sanitization: Completely absent. Inputs are interpolated into JSON payloads using shell heredocs (cat <<EOF), which allows for structural injection. For example, a malicious string could close the intended JSON field and inject additional parameters into the API request.
[COMMAND_EXECUTION]: The skill uses curl to interact with external API endpoints (fal.run). While the service itself is well-known, the parsing of the JSON response is performed using fragile shell pipelines (grep and cut). This approach is highly susceptible to processing errors or further injection if the remote service returns unexpected or malicious content.

fal-audio