The Agent Skills Directory

[COMMAND_EXECUTION]: The skill constructs and executes a bash command using the template bash __SKILL_DIR__/../../scripts/run_command.sh <action> --input-json '<参数JSON>'. Because user-supplied data (such as image URLs or file paths) is embedded directly into the single-quoted JSON argument, there is a risk of command injection if the input contains unescaped single quotes or other control characters.
[DATA_EXFILTRATION]: The skill's documentation and examples explicitly support the use of local file system paths (e.g., /Users/me/photo.jpg). This functionality allows the agent to access and process arbitrary files on the host system, which could be exploited to read sensitive data if the agent is manipulated into accessing unintended paths.
[PROMPT_INJECTION]: The skill presents an indirect prompt injection surface due to its processing of untrusted external data.
Ingestion points: Untrusted image URLs and local file paths are ingested via user prompts as defined in the SKILL.md execution section.
Boundary markers: No boundary markers or instructions to ignore embedded content are present in the command construction logic.
Capability inventory: The skill possesses the ability to execute subprocesses via bash as part of its primary function.
Sanitization: There is no evidence of input sanitization, validation, or shell-escaping applied to the user-provided parameters before they are interpolated into the execution string.

designkit-edit-tools