The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill processes external HTML templates and interpolates user-controlled strings (titles, subtitles, badge text) directly into the HTML structure without sanitization.
Ingestion points: Command-line arguments to scripts/render.mjs, batch data from stories.json, and the HTML templates themselves.
Boundary markers: None present; the documentation suggests simple string replacement of placeholders.
Capability inventory: Playwright (headless browser) with screenshot capabilities and potential network access.
Sanitization: No evidence of HTML escaping or input validation. This allows an attacker to inject malicious scripts or HTML to be executed by the Playwright renderer.
Data Exposure & Exfiltration (HIGH): The skill documentation explicitly supports loading local files via 'file://' URLs and absolute paths.
Evidence: SKILL.md and WORKFLOW.md encourage the use of absolute paths for image rendering and mention using fs.readFileSync for base64 encoding.
Risk: If input paths are not restricted, an attacker can force the skill to read and render sensitive system files (e.g., .env, SSH keys) into the generated image or exfiltrate them via the browser's network context.
Remote Code Execution (MEDIUM): Although Playwright is a standard tool, the lack of sanitization combined with the ability to render arbitrary HTML provides a vector for code execution within the browser's sandbox, which can be used for further exploitation of the host environment.
External Downloads (LOW): The skill requires downloading Playwright browser binaries (npx playwright install chromium). While Playwright is a trusted package, this is an external dependency that executes code from a remote source.

etsy-listing-generator