The Agent Skills Directory

COMMAND_EXECUTION (HIGH): The script scripts/pdf-to-images.js constructs a shell command string using unsanitized input arguments and executes it via execSync.
Evidence: const cmd = \pdftoppm -png -r ${dpi} "${pdfFile}" "${outputPrefix}"`;followed byexecSync(cmd, ...)`.
Risk: An attacker could provide a PDF filename containing shell metacharacters (e.g., ;, &) to execute arbitrary commands on the host system when the agent processes the file.
PROMPT_INJECTION (LOW): The skill is vulnerable to indirect prompt injection as it ingests content from arbitrary URLs to generate slide prompts.
Ingestion points: SKILL.md defines a workflow that fetches content from a user-provided URL (/pw-aippt https://example.com/article).
Boundary markers: Absent. The prompt templates in references/04_内容映射方法.md and references/05_提示词模板示例.md do not use delimiters or instructions to prevent the agent from obeying commands embedded in the source article.
Capability inventory: The skill has the ability to execute shell commands (scripts/pdf-to-images.js), write to the file system, and invoke downstream image generation tools.
Sanitization: Absent. The skill extracts and interpolates raw content directly into LLM prompts.
EXTERNAL_DOWNLOADS (LOW): The skill relies on external system dependencies that must be manually installed by the user.
Evidence: SKILL.md and scripts/pdf-to-images.js specify a requirement for the poppler package (pdftoppm).

pw-aippt-old