The Agent Skills Directory

Data Exfiltration (HIGH): The scripts/generate_video.py script allows users to specify local file paths for the --image and --last-frame parameters. These files are then opened and uploaded to the Replicate API using replicate.files.create. Because the script performs no path validation or sandboxing, an attacker could use indirect prompt injection to force the agent to upload sensitive system files (e.g., ~/.ssh/id_rsa, ~/.aws/credentials, or .env) to the external Replicate hosting service.
Command Execution (MEDIUM): The skill requires the agent to execute a Python script that handles both local file system access and network operations. While this is part of the skill's primary function, the exposure of these capabilities without strict input sanitization on parameters like the prompt or file paths presents a significant risk for abuse.
External Downloads (LOW): The script uses urllib.request.urlretrieve to download the final video from the Replicate API. The destination file path is controlled by user input (--output) without sanitization, which could allow a malicious actor to overwrite arbitrary files in the working directory.
Indirect Prompt Injection (LOW): The skill is a target for indirect prompt injection because it ingests untrusted data from user prompts and external URLs.
Ingestion points: Untrusted data enters via the prompt, image, and last_frame arguments in scripts/generate_video.py.
Boundary markers: Absent. There are no instructions or delimiters used to separate user-provided content from agent commands.
Capability inventory: Includes file reading (open), network upload (replicate.files.create), remote model execution (replicate.run), and file writing (urllib.request.urlretrieve).
Sanitization: Absent. User-provided strings and paths are passed directly to API calls and file system operations without escaping or validation.

seedance-video-gen