The Agent Skills Directory

[Unverifiable Dependencies & Remote Code Execution] (HIGH): The skill relies on prebuilt binaries located in the bin/ directory (e.g., toon-linux-x64). Executing prebuilt binaries is a high-risk activity as they are opaque and their behavior cannot be verified through static analysis of the source files provided.
[Privilege Escalation] (HIGH): The docs/INSTALL.md file explicitly instructs users to execute commands with elevated privileges using sudo (e.g., sudo snap install zig, sudo mv zig-linux-x86_64-0.13.0 /usr/local/zig). This pattern is high-risk and violates the principle of least privilege for AI agent skills.
[Command Execution] (MEDIUM): The skill requires the Bash tool and defines several commands in SKILL.md that execute shell scripts and the compiled toon binary. This creates a significant attack surface if the environment is not strictly sandboxed.
[Indirect Prompt Injection] (LOW): The skill is designed to process and format arbitrary data from files, creating a surface for injection.
Ingestion points: Commands like /toon-encode <file> read external data files.
Boundary markers: No explicit boundary markers or 'ignore embedded instructions' warnings are present in the conversion logic.
Capability inventory: Access to Bash, Read, Write, and Edit tools allows for significant system interaction based on processed data.
Sanitization: There is no evidence of input sanitization or validation before data is passed to the encoding binary or before the output is returned to the agent context.

toon-formatter