The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill contains a significant attack surface for indirect prompt injection due to how it handles external data and its available side-effect capabilities.
Ingestion points: SKILL.md provides explicit usage patterns for reading external content into the agent's context using shell expansion (e.g., $(cat video_script.txt) on line 43 and $(cat article.md ...) on line 62).
Boundary markers: Absent. There are no delimiters or instructions to treat the ingested text as untrusted data, increasing the likelihood that the agent will obey instructions embedded within the text.
Capability inventory: The script scripts/generate_audio.py performs network operations (sending text to https://api.elevenlabs.io) and filesystem writes (open(output_path, 'wb')).
Sanitization: Absent. The script performs no validation or escaping of the input text or the output file path.
[Command Execution] (MEDIUM): The documentation encourages complex shell pipelines (e.g., using sed and command substitution) which, if executed by an agent in a shell environment, can lead to unintended command execution if the filenames or content are attacker-controlled.
[External Downloads] (LOW): The skill requires the requests library. While this is a trusted package, the documentation suggests using --break-system-packages, which is a practice that can destabilize system-managed Python environments.

elevenlabs-tts