The Agent Skills Directory

Indirect Prompt Injection (MEDIUM): The scripts assets/invoice_template.py and scripts/quick_document.py accept external strings (e.g., client info, notes, paragraph content) and insert them directly into ReportLab Paragraph objects without sanitization.
Ingestion points: Function arguments in assets/invoice_template.py (company_info, client_info, notes) and scripts/quick_document.py (content_blocks).
Boundary markers: None present in the functional code to delimit untrusted input from layout instructions.
Capability inventory: The skill can write files to the local disk (doc.build) and read local image files via the Image flowable or <img src="..."/> tags.
Sanitization: Absent in the executable scripts. While references/text_and_fonts.md mentions the need to escape HTML for user content, the provided code does not implement this. An attacker could provide input containing tags like <img src="/etc/passwd"/> to probe the filesystem or <link href="http://malicious.com"/> for phishing.
Data Exposure (LOW): The create_invoice function in assets/invoice_template.py takes a logo_path argument that is passed directly to the Image flowable. If an agent allows an untrusted user to control this path, it could be used to verify the existence of sensitive local files or include them in generated documents if they are valid image formats.

reportlab