The Agent Skills Directory

[COMMAND_EXECUTION]: Vulnerable Python code generation in scripts/base/mimo-tts.sh. The script's --dry-run mode generates and executes a Python snippet using a heredoc. The input variable $TEXT is interpolated directly into this Python block inside triple quotes ("""$TEXT"""). A crafted input containing triple quotes could break out of the string literal to execute arbitrary Python code on the host system (e.g., """ ; import os; os.system('whoami') ; """).
[EXTERNAL_DOWNLOADS]: The skill communicates with an external API at api.xiaomimimo.com to perform TTS synthesis. While this is the intended functionality, it involves sending text data and authentication tokens to a third-party service.
[COMMAND_EXECUTION]: The skill relies on external binaries like ffmpeg and jq for audio processing and data parsing, which are executed via shell commands. While used conventionally here, they represent a potential attack surface if arguments were improperly sanitized.

xiaomi-mimo-tts