The Agent Skills Directory

[Unverifiable Dependencies & Remote Code Execution] (HIGH): The installation instructions in README.md recommend executing npx skills add Letz-AI/letzai-skill.
Evidence: README.md (Line 30): npx skills add Letz-AI/letzai-skill.
Details: The skills package and the associated skills.sh domain are not recognized as trusted sources. This command fetches and executes code from a third-party registry, which can lead to arbitrary code execution on the user's machine during the installation process.
[Indirect Prompt Injection] (LOW): The skill acts as an interface that interpolates user prompts into API calls for image and video generation.
Ingestion points: User prompts in README.md examples (e.g., 'Generate an image of a sunset...').
Boundary markers (absent): No instructions are provided to the agent to ignore instructions embedded within user input.
Capability inventory: The skill possesses network capabilities to api.letz.ai and letz.ai endpoints.
Sanitization (absent): There is no mention of input validation or escaping for user-provided strings before they are sent to the generation endpoints.

letzai-api