The Agent Skills Directory

[COMMAND_EXECUTION]: The bash scripts in Steps 2 and 3 utilize unquoted Python heredocs to construct JSON payloads. Shell variables $LAYOUT_REQUEST and $STYLE_REQUEST—which contain content derived from user input and LLM outputs—are expanded by the shell directly into the Python source code. A malicious input containing triple single-quotes (''') could break the string literal context and lead to arbitrary Python code execution on the host system.
[EXTERNAL_DOWNLOADS]: The skill makes network requests to generativelanguage.googleapis.com via curl to interact with Gemini models. This is consistent with the skill's stated purpose and targets a well-known, trusted service.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. Ingestion points: User input via $ARGUMENTS and external API responses from Gemini. Boundary markers: Absent; data is directly interpolated into subsequent prompts and scripts without delimiters. Capability inventory: The skill can execute shell commands (bash, python3) and write files to the local system. Sanitization: Absent; there is no validation or escaping of external content before it is used in logic or script generation.

paper-illustration