The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructs the agent to use the Bash tool for converting SVGs to PNGs using utilities such as resvg, cairosvg, and rsvg-convert. These commands are built by interpolating user-controlled variables (e.g., {icon-name}, {SIZE}) directly into shell strings. This pattern presents a significant risk of command injection if the agent fails to sanitize these inputs before execution.
[REMOTE_CODE_EXECUTION]: The skill employs node -e to execute dynamically generated JavaScript snippets for resizing icons. This execution model allows user-influenced data to reach an execution sink in the Node.js runtime, potentially leading to arbitrary code execution.
[EXTERNAL_DOWNLOADS]: The skill performs WebFetch operations to retrieve SVG files from external sources such as unpkg.com and other icon library CDNs. While these are well-known and generally trusted sources for design assets, the downloads are parameterized by user queries and the retrieved content is subsequently processed by the agent.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through its asset retrieval workflow. 1. Ingestion points: Untrusted SVG data and metadata enter the context via WebSearch and WebFetch (SKILL.md). 2. Boundary markers: Absent; there are no instructions to delimit or treat external content as untrusted. 3. Capability inventory: The agent has access to high-risk tools including Bash, Write, and WebFetch. 4. Sanitization: Absent; the skill lacks specific directions to validate retrieved SVG markup or escape its attributes before using them in shell commands or code generation.

icon-craft