The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill processes file paths derived from potentially untrusted inputs and possesses the capability to delete or overwrite files, creating a significant attack surface for data loss or file manipulation.
Ingestion points: The <input> CLI argument and --output option in scripts/main.ts (handled via process.argv).
Boundary markers: None identified.
Capability inventory: unlinkSync (file deletion), renameSync (file overwrite), and execution of external binaries (sips, cwebp, convert) via spawn across scripts/main.ts.
Sanitization: The script uses path.resolve() and checks for a list of SUPPORTED_EXTS. It uses spawn with argument arrays to prevent shell-based command injection.
Unverifiable Dependencies & Remote Code Execution (MEDIUM): The script dynamically imports the sharp library (await import("sharp")) and the documentation suggests using npx to execute the script with bun. The absence of a package.json or lockfile means these dependencies are not pinned to specific versions, posing a risk of executing unverified code if fetched at runtime.
Command Execution (LOW): The skill executes external system binaries (sips, cwebp, convert). While the usage of spawn with argument arrays is a secure implementation pattern, the tool is inherently dependent on the presence and security of these third-party utilities.
Data Exposure & Exfiltration (LOW): The skill defaults to deleting the original input file after successful compression (!opts.keep). While this is a documented feature for optimizing storage, it is a destructive operation that increases the impact of accidental or malicious misdirection by the AI agent.

baoyu-compress-image