The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill explicitly reads and "incorporates" content from untrusted files in the context/ folder (PDFs, PPTX, CSV, etc.) into its plan and slide generation. There are no instructions for sanitization or boundary markers (e.g., delimiters) to prevent instructions inside these files from being interpreted as commands by the agent.
Evidence: SKILL.md instructs the agent to "Read each file found and incorporate into your plan" and "Extract key messages and themes" from user-provided files.
Remote Code Execution (HIGH): The skill is granted Bash(npm install:*) and Bash(npm run:*) permissions. This allows the agent to install and execute arbitrary code. An attacker-controlled context document could trick the agent into installing and running a malicious package.
Evidence: The allowed-tools section includes Bash(npm run:*) and Bash(npm install:*).
Command Execution (HIGH): The skill allows the execution of arbitrary npm scripts. Since the agent generates the content of the project (and potentially the package.json if it modifies the deck structure), it could be manipulated into executing dangerous shell commands via npm run.
Evidence: Use of npm run generate and npm run generate-image with dynamic arguments derived from untrusted input.
Dynamic Execution (HIGH): The skill generates HTML files based on content extracted from external documents and renders them via Puppeteer. If the extracted content contains malicious scripts, they will be executed within the Puppeteer environment during rendering.
Evidence: The skill uses Puppeteer to render HTML slides created from context content.
External Downloads (MEDIUM): The skill permits npm install:*. While the NPM registry is generally trusted, the lack of version pinning or package restrictions allows for the installation of malicious or typo-squatted packages if the agent is influenced by an indirect prompt injection.

presentation-builder