The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted metadata from music service APIs.
Ingestion points: scripts/lib/spotify.py and scripts/lib/lastfm.py fetch artist, album, and track names from external Spotify and Last.fm APIs.
Boundary markers: No delimiters or specific instructions to ignore embedded commands are present when the agent processes or displays this metadata.
Capability inventory: The skill can execute subprocesses via scripts/lib/platform.py and perform file system operations to store download state.
Sanitization: The skill does not perform sanitization or validation of the metadata before using it in human-readable output or as parameters for download scripts.
[COMMAND_EXECUTION]: The skill frequently executes external CLI tools and background worker scripts using the subprocess module.
Evidence: scripts/platform_download.py spawns _download_worker.py as a detached process. scripts/lib/platform.py executes qobuz-dl and tiddl using subprocess.run with parameters derived from API search results. While it uses list-based arguments which mitigate shell injection, the execution of background processes and a local web server increases the local attack surface.
[EXTERNAL_DOWNLOADS]: The skill is designed to fetch audio content and metadata from remote servers.
Evidence: It makes network requests to ws.audioscrobbler.com and api.spotify.com, and downloads high-fidelity audio files from Qobuz and TIDAL. It also installs Python dependencies from PyPI during the setup phase.
[CREDENTIALS_UNSAFE]: The skill manages sensitive API keys and user passwords by storing them in a local environment file.
Evidence: scripts/setup_config.py collects Spotify secrets and Qobuz passwords, writing them in plain text to a .env file within the skill directory. While standard for CLI tools, this results in sensitive data being stored unencrypted on the file system.

hifi-download