The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): The skill implementation uses a shell command (uv run mlx_audio.tts.generate ... --text "...") where the --text argument is filled with data fetched from external URLs via the WebFetch tool. An attacker could host a website containing shell metacharacters (e.g., backticks, $(...), or unbalanced quotes) to break out of the command string and execute arbitrary shell commands on the user's system.
[EXTERNAL_DOWNLOADS] (LOW): The skill triggers the download of the mlx_audio package and a large (~500MB) machine learning model (mlx-community/chatterbox-turbo-fp16) at runtime. While this is from a trusted external source (HuggingFace/MLX community) and the skill's homepage is a trusted repository (anthropics), such dynamic downloads should be monitored.
[PROMPT_INJECTION] (LOW): The skill is highly vulnerable to Indirect Prompt Injection (Category 8).
Ingestion points: The WebFetch tool is used to pull content from any user-provided URL into the agent's context.
Boundary markers: None. The instructions do not tell the agent to ignore instructions found within the fetched content or treat it as untrusted.
Capability inventory: The agent has the ability to execute shell commands (uv run), delete files (rm -f), and fetch web data.
Sanitization: The skill mentions stripping HTML tags, but this does not prevent instruction hijacking or the shell injection mentioned above.

audio-reply