The Agent Skills Directory

[Indirect Prompt Injection] (LOW): The skill's core workflow (Step 1.2 and Step 2) involves ingestion of untrusted content from user-provided Markdown files. The instructions in SKILL.md and references/structured-content-template.md emphasize preserving this content 'verbatim' without summarization, creating a direct path for embedded malicious instructions to reach the downstream image generation prompt.
Ingestion points: SKILL.md Step 1.2 (source content loading).
Boundary markers: Absent. The skill lacks explicit instructions to sanitize or wrap untrusted data with markers that would signal the LLM to ignore embedded instructions.
Capability inventory: The skill triggers image generation tools and executes local file system checks via Bash.
Sanitization: None. The skill's 'verbatim' policy intentionally bypasses filtering to ensure data integrity.
[Command Execution] (SAFE): The skill uses basic Bash commands (test -f) in Step 1.1 to detect the presence of configuration files within the skill's own subdirectories (.baoyu-skills/). This is a legitimate use case for configuration management and does not expose sensitive system paths or process untrusted input.

baoyu-infographic