The Agent Skills Directory

[COMMAND_EXECUTION]: The skill executes shell commands such as ls, curl, and file using variables derived from user input and search results. Direct interpolation of these variables creates an attack surface for command injection. It also uses uv run to execute Python code that incorporates local file paths for image validation.
[EXTERNAL_DOWNLOADS]: The skill performs automated downloads from various external sources. While it targets established platforms like GitHub and Clearbit, it also fetches assets from arbitrary brand-specific URLs discovered via web searches.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection by processing external data from websites to determine its execution flow. * Ingestion points: Data extracted from brand press kits and media pages via WebFetch in SKILL.md. * Boundary markers: None. * Capability inventory: Shell execution, file management, and dynamic Python validation via uv. * Sanitization: The skill implements file integrity checks such as size and format validation, but does not sanitize extracted metadata or URLs before using them in command-line operations.

fetch-brand-assets