The Agent Skills Directory

[Prompt Injection] (HIGH): The skill is vulnerable to indirect prompt injection (Category 8) due to its core functionality and associated agent capabilities.
Ingestion points: The skill processes user-provided text prompts in SKILL.md and references/editing.md. Additionally, the image-prompter agent uses the WebFetch tool to ingest external content.
Boundary markers: No delimiters or safety instructions are used to isolate untrusted user input from the agent's internal logic.
Capability inventory: The skill provides templates for file system writes (fs.writeFileSync in SKILL.md and references/integration.md), network access, and the execution of external binaries (magick, rembg).
Sanitization: There is no evidence of input validation or prompt sanitization to prevent adversarial instructions from influencing the agent's operations.
[External Downloads] (MEDIUM): The skill promotes the use of external packages from untrusted sources.
Evidence: references/integration.md suggests installing rembg (via pip) and @imgly/background-removal-node (via pnpm/npm). These packages are not within the defined trusted organization scope.
[Command Execution] (MEDIUM): Documentation encourages the use of shell commands to process images.
Evidence: references/integration.md provides examples for executing magick, cwebp, and rembg CLI tools. While functional, this pattern exposes the environment to risks associated with subprocess management.
[Data Exposure] (LOW): The skill accesses sensitive environment variables and local files.
Evidence: Accesses process.env.GEMINI_API_KEY and performs file I/O operations (e.g., fs.readFileSync in references/editing.md). This is expected for an image generation skill but confirms the persistent access to the local file system.

image-gen