The Agent Skills Directory

[DYNAMIC_EXECUTION]: The skill generates a local HTML file (gallery.html) and instructs the agent to execute it using the preview_start and preview_eval tools. The generated code includes JavaScript that dynamically builds the user interface based on the contents of a local folder.
[INDIRECT_PROMPT_INJECTION]: The skill is vulnerable to exploitation via malicious local file names. The JavaScript in the gallery.html template reads file names from the directory listing and injects them directly into the Document Object Model (DOM) using innerHTML without sanitization.
Ingestion points: The loadGallery function in SKILL.md uses fetch('./') to retrieve directory listings from the local filesystem.
Boundary markers: No boundary markers or instructions to ignore embedded content are present in the generated code.
Capability inventory: The agent uses preview_start to serve the folder, preview_eval to manipulate the session, and preview_screenshot to capture the output, providing a path for an attacker to influence the agent's view or actions.
Sanitization: Sanitization is absent. While file extensions are checked via regex, the filenames themselves are not escaped before being rendered via card.innerHTML in the renderGrid function.
[COMMAND_EXECUTION]: The skill invokes shell-adjacent platform tools (preview_start, preview_eval) to host and interact with a web server pointing to arbitrary local directories. If the user is tricked into browsing a directory controlled by an attacker, the unsanitized execution environment could be compromised.

show-gallery