The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill ingests untrusted text prompts that are processed by an external LLM. The agent is then instructed to use shell commands to download files using metadata provided by the API response. \n * Ingestion points: The prompt field in the input JSON (SKILL.md).\n * Boundary markers: None present to distinguish instructions from data.\n * Capability inventory: The skill uses refly file download to write to the filesystem and open to interact with downloaded files (SKILL.md, Step 3).\n * Sanitization: The shell script OUTPUT_PATH="$HOME/Desktop/${FILE_NAME}" uses the FILE_NAME variable directly from the API without sanitization, allowing for path traversal (e.g., ../../.bashrc) or execution of arbitrary files if the filename extension is malicious (e.g., .command).\n- [COMMAND_EXECUTION] (LOW): The skill documentation provides specific shell command sequences for the agent to execute, which interact with the local environment and the Refly platform CLI.

nano-banana-pro