The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill possesses a high-risk capability tier where external data is ingested and then used in a side-effect-heavy operation (automated file opening).
Ingestion points: Files are fetched from a remote workflow execution via refly workflow toolcalls in SKILL.md.
Boundary markers: None. The agent does not use delimiters or instructions to ignore embedded commands within the fetched data.
Capability inventory: The skill uses refly file download to save files to the user's $HOME/Desktop/ and then immediately triggers the open command on those files.
Sanitization: Absent. There is no validation of file types, metadata, or content before the open command is executed.
Command Execution (HIGH): The execution block in SKILL.md includes a loop that automatically executes open on any file returned by the refly CLI tool. This is a classic 'download-and-execute' pattern that can be exploited if the remote service serves a malicious file (e.g., a script or app masquerading as an .mp4).
External Downloads (MEDIUM): The skill relies on the refly CLI and the refly.ai infrastructure, which are not within the defined trusted source scope. It downloads opaque binary data (videos) and handles them with high-privilege local commands.

volcengine-avatar