The Agent Skills Directory

[COMMAND_EXECUTION]: The gossamer.py script uses subprocess.run to execute a local version checking script (check_update.py) if it is found within the repository's skills directory. Additionally, the skill's instructions guide the agent to run commands for installing or updating related components only after receiving explicit user permission.
[EXTERNAL_DOWNLOADS]: The skill facilitates the installation of the qwencloud-update-check sibling skill and other updates from the official QwenCloud/qwencloud-ai repository. These actions are triggered based on update signals but are designed to be confirmed by the user before execution.
[DATA_EXFILTRATION]: The skill transmits image and video data to the vendor's API endpoints at dashscope-intl.aliyuncs.com to perform analysis. This is the primary function of the skill. The code includes dedicated logic in qwencloud_lib.py to mask API keys in error messages and logs, ensuring credentials are not exposed during transit or in case of failure.
[PROMPT_INJECTION]: The skill processes external data (images and videos) which could serve as a vector for indirect prompt injection. It manages this risk by using structured JSON payloads for API communication rather than raw string interpolation.
Ingestion points: Image and video file paths or URLs provided to scripts/analyze.py, scripts/reason.py, and scripts/ocr.py via the --request or --file arguments.
Boundary markers: The prompt and visual data are structured as specific fields within an OpenAI-compatible JSON message format.
Capability inventory: The skill can execute local scripts via gossamer.py and perform network requests via qwencloud_lib.py.
Sanitization: Input prompts are encapsulated within JSON structures, and local files are converted to Base64 or uploaded to secure temporary storage before processing.

qwencloud-vision