The Agent Skills Directory

Indirect Prompt Injection (MEDIUM): The skill possesses a significant attack surface by ingesting untrusted data from multiple sources to influence agent actions and asset generation.
Ingestion points: Untrusted data enters via the prompt parameter, the reference_images array, and iterative refinement instructions in SKILL.md.
Boundary markers: There are no delimiters (e.g., XML tags or triple quotes with instructions) used to isolate user input from the skill's operational instructions.
Capability inventory: The skill triggers image generation via the generate_image function and feeds results to downstream skills like moai-domain-frontend and moai-docs-generation, potentially escalating the impact of an injection.
Sanitization: No evidence of input validation, prompt filtering, or metadata scrubbing for reference images is present.
Tool Output Poisoning (MEDIUM): The 'Real-time Grounding' feature using Google Search (Pattern 2) allows external, potentially attacker-controlled web content to be ingested into the agent's context, which could contain malicious instructions designed to hijack the image generation process.

moai-connector-nano-banana