The Agent Skills Directory

[Indirect Prompt Injection] (LOW): The skill processes data from an external, potentially untrusted source (Sketch document layers and share links).
Ingestion points: Reads layer names, IDs, typography, and hierarchy from Sketch via run_code and get_selection_as_image. It also parses Sketch share links.
Boundary markers: Not explicitly defined in the prompts; the agent is instructed to treat Sketch data as 'design intent'.
Capability inventory: Uses run_code (subprocess/script execution within Sketch) and file-writing via sketch.export to /tmp/sketch-assets (SKILL.md Step 4).
Sanitization: No explicit sanitization or instruction to ignore embedded text in layer names that might contain prompt injections targeting the agent.
[Command Execution] (LOW): The skill utilizes run_code to execute JavaScript within the Sketch API environment. While this is the intended primary purpose of the skill for design extraction, it involves dynamic script generation and execution.
[Data Exposure] (SAFE): The skill interacts with a local Sketch server (http://localhost:31126/mcp). While it reads document data, it does so to fulfill its primary purpose, and there is no evidence of exfiltration to non-whitelisted external domains.

sketch-implement-design