The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill is designed to ingest natural language from untrusted users and interpolate it into executable HTML content.
Ingestion points: User input is used to populate DIAGRAM_DESCRIPTION and DIAGRAM_TITLE within the HTML template in SKILL.md.
Boundary markers: There are no delimiters or instructions to ignore embedded commands within the user input.
Capability inventory: The skill performs file writes, executes shell commands (python -m http.server), and uses browser automation to render content.
Sanitization: While XML is URL-encoded, the metadata fields in the HTML template are not sanitized, allowing an attacker to inject <script> tags or other malicious HTML that executes when the agent opens the browser.
[Command Execution] (MEDIUM): The skill explicitly directs the agent to execute shell commands to facilitate its workflow.
Evidence: Use of python -m http.server 8765 to serve local files and the requirement for "browser automation tools" to navigate to the local server.
[Dynamic Execution] (MEDIUM): The skill follows a pattern of generating code (HTML) at runtime and immediately triggering its execution/rendering.
Evidence: The workflow involves saving a generated HTML file and then using a browser to process it, which creates a runtime execution path for content derived from external prompts.

ai-drawio