The Agent Skills Directory

[DATA_EXFILTRATION]: The canvas_image tool in lib/canvas.js performs an unvalidated file read using fs.readFile with the src parameter. This allows the agent to access and encode sensitive files from the host system into the canvas workspace.
[DATA_EXFILTRATION]: The canvas_screenshot tool in lib/canvas.js uses fs.writeFile with an agent-supplied outputPath parameter. Without path validation or restriction, this enables the writing or overwriting of files anywhere on the file system the process has permission to access.
[REMOTE_CODE_EXECUTION]: The canvas_eval tool executes arbitrary JavaScript via eval() in the headless browser instance. This capability could be leveraged for unauthorized browser-based operations or to probe internal network resources.
[EXTERNAL_DOWNLOADS]: The skill fetches the Chart.js library from a well-known CDN (jsdelivr.net) in lib/chart-renderer.js to support its chart visualization features.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its architecture. Ingestion points: canvas_draw, canvas_text, and canvas_eval tools in index.js. Boundary markers: No delimiters or instructions to ignore embedded commands are present. Capability inventory: JavaScript eval in lib/canvas.js, fs.readFile in lib/canvas.js, and fs.writeFile in lib/canvas.js. Sanitization: No sanitization or validation of input data or code strings was identified in the implementation.

canvas-a2ui