The Agent Skills Directory

[COMMAND_EXECUTION]: The workflow in references/02-production.md explicitly instructs the agent to execute shell commands (curl and jq) for interacting with the fal.ai API and managing file downloads. These commands interpolate variables such as the model endpoint, AI prompts, and output paths derived from user input or remote responses, creating a potential vector for shell injection if inputs contain malicious metacharacters.\n- [DATA_EXFILTRATION]: The skill is designed to read a sensitive API key (fal_key) from a local configuration file at {project-root}/.pawbytes/config/config.yaml and transmit it in the headers of outgoing network requests to an external service (fal.ai). This represents a chain of operation where local secrets are exposed to network operations.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted user content from creative briefs and incorporates it into prompts for downstream AI models and HTML templates without sanitization.\n
Ingestion points: Extraction of content and copy parameters from user briefs in SKILL.md and references/01-brief-and-context.md.\n
Boundary markers: The skill does not implement boundary markers or instructions to ignore embedded commands when passing user content to the Strategist skill or AI generation endpoints.\n
Capability inventory: The workflow has access to shell execution (curl), filesystem writes, and browser automation via Puppeteer/Playwright.\n
Sanitization: There is no evidence of input validation or escaping for the user-provided text before its interpolation into command arguments or templates.\n- [EXTERNAL_DOWNLOADS]: The production stage involves fetching image assets from the fal.ai service based on URLs retrieved during the generation process and saving them directly to the local filesystem.

paw-cra-design-social